Certificate serial numbers must be unique. They need not be sequential or increasing. (Mozilla's NSS will complain and refuse to work if there are duplicate serial numbers.)
I tend not to re-use keys, so I've found that putting 20 bytes (while clearing the high bit) of a digest of the SubjectPublicKeyInfo as the serial number works in that circumstance. [if you leave the high bit set, then DER mandates that it be encoded with a leading 0x00 byte, which makes it 21 bytes... which can cause problems with things built for PKIX.] -Kyle H On Wed, Aug 16, 2017 at 6:24 AM, Tom Browder <tom.brow...@gmail.com> wrote: > Many years ago I started a CA for one group I manage for a private > website, and now I want to update members' client certs for the stricter > requirements for browsers. > > My original cert generation was entirely automated including the following: > > + CN for each is an e-mail address for the member > > + the passphrase for each member's cert is determined from a pre-generated > list by me, it will not change > > I plan to tidy my automation before the issue of new certs, but I wonder > how critical it is to ensure unique certificate serial numbers given that > the certs are only used for us. I'm not even sure I'll ever revoke any > cert (they were issued to expire sometime in 2030). > > So, in summary, do I need to ensure cert serial numbers are unique for my > CA? > > With warmest regards, > > -Tom > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
