Re: Max length of serial number

Sun, 17 Jul 2005 11:28:27 -0700 

Todd Wease wrote:

On Sun, 2005-07-17 at 12:03 -0400, Jorey Bump wrote:
What is the maximum length (if string) or size (if number) of a serial number?
I am using the current datetime to set the initial serial number for my CA to provide a reasonable measure of uniqueness: 

 # example: 200507171152001
 SERIALINIT=$(date +%Y%m%d%H%M)001
 echo $SERIALINIT > serial
Do I need to be concerned with the number of characters or the number of bits used to represent the serial number? Is there an RFC that defines this? 

I found this in RFC 2459 (http://www.faqs.org/rfcs/rfc2459.html)

*******************************************************************
4.1  Basic Certificate Fields

   The X.509 v3 certificate basic syntax is as follows.  For signature
   calculation, the certificate is encoded using the ASN.1 distinguished
   encoding rules (DER) [X.208].  ASN.1 DER encoding is a tag, length,
   value encoding system for each element.

          ...

   CertificateSerialNumber  ::=  INTEGER
... 
*******************************************************************

and then I found this (http://gost.isi.edu/brian/security/asn1.html)

********************************************************************
         ...
And that's all that we need. This second specification introduces us to another primitive, INTEGER, which is exactly what it sounds like, an integer. The difference between this integer and that which resides on most machines is that this one is arbitrarily large: the ASN.1 encoding for integer allows for integers of whatever size. 
         ...
********************************************************************

Here is the ASN.1 website - http://asn1.elibel.tm.fr/


Thanks, Todd. There is one caveat: the number of characters must be even:

unable to load number from /etc/ssl/CA/serial
error while loading serial number
3068:error:0D066091:asn1 encoding routines:a2i_ASN1_INTEGER:odd number of chars:f_int.c:162: 

Therefore, I needed to modify my command:

 # example: 2005071711520001 (16 char, must be even # of chars)
 echo $(date +%Y%m%d%H%M)0001 > serial

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to