The serialNumber of the certificate. Not the serialNumber as part of a DN.
On 7/21/23 09:11, Corey Bonnell wrote:
Hi Robert,
Are you referring to the serialNumber field of a certificate, or the
serialNumber name attribute? The former is encoded as an ASN.1 INTEGER, not an
OID.
Thanks,
Corey
-----Original Message-----
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Robert
Moskowitz
Sent: Friday, July 21, 2023 8:59 AM
To: openssl-users@xxxxxxxxxxx
Subject: rfc5280 serialNumber question
Per sec 4.1.2.2
Given the uniqueness requirements above, serial numbers can be
expected to contain long integers. Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
use serialNumber values longer than 20 octets.
At some point some years ago it was pointed out here that serialNumber OID
encoding preappends 0x00 if the first bit is a 1.
Does this actually make the serialNumber a byte longer? Or is this only
encoding? Thus IF that first bit is a 1, obviously the OID value is a byte
longer. But when the serialNumber OID is decoded is this longer value
returned or the original value?
I am girding up to debate an implementation where the CP says serialNumber
MUST be unique, and their implementation uses a 20-byte SN. I don't think
they take care at all about the value of the 1st byte. I doubt in their
testing to date they have generated a SN in that range.
So how does the SN with the added byte get decoded?
thanks
