Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
> I tried putting in my conf:
> serial = none
> and that made an error.
> Best I have done is a serial of length 1 byte. But in my work, the
> subject or SAN provide uniqueness and CRLs will not be used. So want
> to see if I can create a cert with NO serial number.
I don't think RFC5280 lets you do that.
section 4.1 says:
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
so making it one byte is the best you can do.
serialNumber is not an optional field.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
Attachment:
signature.asc
Description: PGP signature
