Overview#

The Certificate Serial Number field provides a short form, unique identifier for each Certificate generated by an Certificate Issuer.

An Certificate Issuer must ensure that no two distinct Certificates with the same Certificate Issuer DN contain the same serial number.

X.509 Style Guide#

CertificateSerialNumber ::= INTEGER

This should be unique for each certificate issued by a Certificate Authority (typically a CA will keep a counter in persistent store somewhere, perhaps a config file under Unix and in the registry under Windows). A better way is to take the current time in seconds and subtract some base time like the first time you ran the software, to keep the numbers manageable. This has the further advantage over a simple sequential numbering scheme that it doesn't allow tracking of the number of certificates which have been signed by a CA, which can have nasty consequences both if various braindamaged government regulation attempts ever come to fruition, and because by using sequential numbers a CA ends up revealing just how few certs it's actually signing (at the cost of a cert per week, the competition can find out exactly how many certs are being issued each week).

Although this is never mentioned in any standards document, using negative serial numbers is probably a bit silly (note the caveat about encoding INTEGER values in the section on SubjectPublicKeyInfo).

Serial numbers aren't necessarily restricted to 32-bit quantitues. For example the RSADSI Commercial Certification Authority serial number is 0x0241000016, which is larger than 32 bits, and Verisign seem to like using 128 or 160-bit hashes as serial numbers. If you're writing certificate-handling code, just treat the serial number as a blob which happens to be an encoded integer (this is particularly important for the case of the vendors who have forgotten that the high bit of an integer is the sign bit, and generate negative serial numbers for their certificates).

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 12-May-2017 12:10 by jim