Max length of serial number

> What is the maximum length (if string) or size (if number) of a serial
> number?
>
> I am using the current datetime to set the initial serial number for my
> CA to provide a reasonable measure of uniqueness:
>
>   # example: 200507171152001
>   SERIALINIT=$(date +%Y%m%d%H%M)001
>   echo $SERIALINIT > serial
>
> Do I need to be concerned with the number of characters or the number of
> bits used to represent the serial number? Is there an RFC that defines this?
>

> On Sun, 2005-07-17 at 12:03 -0400, Jorey Bump wrote:
>
>>What is the maximum length (if string) or size (if number) of a serial
>>number?
>>
>>I am using the current datetime to set the initial serial number for my
>>CA to provide a reasonable measure of uniqueness:
>>
>>  # example: 200507171152001
>>  SERIALINIT=$(date +%Y%m%d%H%M)001
>>  echo $SERIALINIT > serial
>>
>>Do I need to be concerned with the number of characters or the number of
>>bits used to represent the serial number? Is there an RFC that defines this?
>
> I found this in RFC 2459 (http://www.faqs.org/rfcs/rfc2459.html)
>
> *******************************************************************
> 4.1  Basic Certificate Fields
>
>    The X.509 v3 certificate basic syntax is as follows.  For signature
>    calculation, the certificate is encoded using the ASN.1 distinguished
>    encoding rules (DER) [X.208].  ASN.1 DER encoding is a tag, length,
>    value encoding system for each element.
>
>           ...
>
>    CertificateSerialNumber  ::=  INTEGER
>  
>           ...
> *******************************************************************
>
> and then I found this (http://gost.isi.edu/brian/security/asn1.html)
>
> ********************************************************************
>          ...
>
> And that's all that we need. This second specification introduces us to another
> primitive, INTEGER, which is exactly what it sounds like, an integer. The
> difference between this integer and that which resides on most machines is that
> this one is arbitrarily large: the ASN.1 encoding for integer allows for integers
> of whatever size.
>          ...
> ********************************************************************
>
> Here is the ASN.1 website - http://asn1.elibel.tm.fr/

> There is one caveat: the number of characters must be even:
>
> unable to load number from /etc/ssl/CA/serial
> error while loading serial number
> 3068:error:0D066091:asn1 encoding routines:a2i_ASN1_INTEGER:odd number
> of chars:f_int.c:162:
>
> Therefore, I needed to modify my command:
>
>  # example: 2005071711520001 (16 char, must be even # of chars)
>  echo $(date +%Y%m%d%H%M)0001 > serial

> And RFC 3280 has this to say:
>
> 4.1.2.2  Serial number
>
>    The serial number MUST be a positive integer assigned by the CA to
>    each certificate.  It MUST be unique for each certificate issued by a
>    given CA (i.e., the issuer name and serial number identify a unique
>    certificate).  CAs MUST force the serialNumber to be a non-negative
>    integer.
>
>    Given the uniqueness requirements above, serial numbers can be
>    expected to contain long integers.  Certificate users MUST be able to
>    handle serialNumber values up to 20 octets.  Conformant CAs MUST NOT
>    use serialNumber values longer than 20 octets.
>
>    Note: Non-conforming CAs may issue certificates with serial numbers
>    that are negative, or zero.  Certificate users SHOULD be prepared to
>    gracefully handle such certificates.
>
> I guess this limits serial numbers to 20 numeric characters,