What is the maximum length (if string) or size (if number) of a serial
number? I am using the current datetime to set the initial serial number for my CA to provide a reasonable measure of uniqueness: # example: 200507171152001 SERIALINIT=$(date +%Y%m%d%H%M)001 echo $SERIALINIT > serial Do I need to be concerned with the number of characters or the number of bits used to represent the serial number? Is there an RFC that defines this? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
On Sun, 2005-07-17 at 12:03 -0400, Jorey Bump wrote:
> What is the maximum length (if string) or size (if number) of a serial > number? > > I am using the current datetime to set the initial serial number for my > CA to provide a reasonable measure of uniqueness: > > # example: 200507171152001 > SERIALINIT=$(date +%Y%m%d%H%M)001 > echo $SERIALINIT > serial > > Do I need to be concerned with the number of characters or the number of > bits used to represent the serial number? Is there an RFC that defines this? > I found this in RFC 2459 (http://www.faqs.org/rfcs/rfc2459.html) ******************************************************************* 4.1 Basic Certificate Fields The X.509 v3 certificate basic syntax is as follows. For signature calculation, the certificate is encoded using the ASN.1 distinguished encoding rules (DER) [X.208]. ASN.1 DER encoding is a tag, length, value encoding system for each element. ... CertificateSerialNumber ::= INTEGER ... ******************************************************************* and then I found this (http://gost.isi.edu/brian/security/asn1.html) ******************************************************************** ... And that's all that we need. This second specification introduces us to another primitive, INTEGER, which is exactly what it sounds like, an integer. The difference between this integer and that which resides on most machines is that this one is arbitrarily large: the ASN.1 encoding for integer allows for integers of whatever size. ... ******************************************************************** Here is the ASN.1 website - http://asn1.elibel.tm.fr/ Todd ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Todd Wease wrote:
> On Sun, 2005-07-17 at 12:03 -0400, Jorey Bump wrote: > >>What is the maximum length (if string) or size (if number) of a serial >>number? >> >>I am using the current datetime to set the initial serial number for my >>CA to provide a reasonable measure of uniqueness: >> >> # example: 200507171152001 >> SERIALINIT=$(date +%Y%m%d%H%M)001 >> echo $SERIALINIT > serial >> >>Do I need to be concerned with the number of characters or the number of >>bits used to represent the serial number? Is there an RFC that defines this? > > I found this in RFC 2459 (http://www.faqs.org/rfcs/rfc2459.html) > > ******************************************************************* > 4.1 Basic Certificate Fields > > The X.509 v3 certificate basic syntax is as follows. For signature > calculation, the certificate is encoded using the ASN.1 distinguished > encoding rules (DER) [X.208]. ASN.1 DER encoding is a tag, length, > value encoding system for each element. > > ... > > CertificateSerialNumber ::= INTEGER > > ... > ******************************************************************* > > and then I found this (http://gost.isi.edu/brian/security/asn1.html) > > ******************************************************************** > ... > > And that's all that we need. This second specification introduces us to another > primitive, INTEGER, which is exactly what it sounds like, an integer. The > difference between this integer and that which resides on most machines is that > this one is arbitrarily large: the ASN.1 encoding for integer allows for integers > of whatever size. > ... > ******************************************************************** > > Here is the ASN.1 website - http://asn1.elibel.tm.fr/ Thanks, Todd. There is one caveat: the number of characters must be even: unable to load number from /etc/ssl/CA/serial error while loading serial number 3068:error:0D066091:asn1 encoding routines:a2i_ASN1_INTEGER:odd number of chars:f_int.c:162: Therefore, I needed to modify my command: # example: 2005071711520001 (16 char, must be even # of chars) echo $(date +%Y%m%d%H%M)0001 > serial ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Jorey Bump wrote:
> There is one caveat: the number of characters must be even: > > unable to load number from /etc/ssl/CA/serial > error while loading serial number > 3068:error:0D066091:asn1 encoding routines:a2i_ASN1_INTEGER:odd number > of chars:f_int.c:162: > > Therefore, I needed to modify my command: > > # example: 2005071711520001 (16 char, must be even # of chars) > echo $(date +%Y%m%d%H%M)0001 > serial And RFC 3280 has this to say: 4.1.2.2 Serial number The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer. Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. Conformant CAs MUST NOT use serialNumber values longer than 20 octets. Note: Non-conforming CAs may issue certificates with serial numbers that are negative, or zero. Certificate users SHOULD be prepared to gracefully handle such certificates. I guess this limits serial numbers to 20 numeric characters, and I assume this includes leading zeroes, unless the asn1 encoding routine strips them. Unfortunately, this limits the life of my CA to 99,997,994,928,288,479,998 signed certficates, using the example I've given above. ;) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Jorey Bump writes:
> And RFC 3280 has this to say: > > 4.1.2.2 Serial number > > The serial number MUST be a positive integer assigned by the CA to > each certificate. It MUST be unique for each certificate issued by a > given CA (i.e., the issuer name and serial number identify a unique > certificate). CAs MUST force the serialNumber to be a non-negative > integer. > > Given the uniqueness requirements above, serial numbers can be > expected to contain long integers. Certificate users MUST be able to > handle serialNumber values up to 20 octets. Conformant CAs MUST NOT > use serialNumber values longer than 20 octets. > > Note: Non-conforming CAs may issue certificates with serial numbers > that are negative, or zero. Certificate users SHOULD be prepared to > gracefully handle such certificates. > > I guess this limits serial numbers to 20 numeric characters, You do realise, don't you, that 20 octets isn't the same as 20 numeric characters? This means that your serial number span is 0 to 2^(8*20)-1, which is 2^160 different value. That's enough to give every atom in the known universe a few certs each. I bet that's enough for your purposes :-). Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [hidden email] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |