My belief is that the presentation should be as an octet string, as opposed to a string representation of an integer. Furthermore, serial numbers are unsigned, not signed, and generally increment.
The problem is that the CA did not embed "00" before the serial number of the certificate it signed -- and, by RFC, it is not required to. The serial number should be presented to the user as an opaque string of hex bytes, not (as current) a translation into an integer. -Kyle H On 1/11/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Michael, > > OpenSSL ist working correct because "9a 38 74 00 00 00 00 25 be" is a > negative integer. If you preceedyour serial number with "00" everything will > work fine... even the presentation of your number with OpenSSL. > > Best regards > > Thomas > > > ________________________________ > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von Bohn, Michael > Gesendet: Mittwoch, 11. Januar 2006 07:20 > An: [email protected] > Betreff: openssl can don' t handle 20 Octes long Serial Numbers RFC 3280 > > > > > Hi all, > sorry that I send the same e-mail again but I did't find any answer to my > last one. > > We have the case that openssl can not handle long serial numbers. > In ower case we have this Serail Nr. 9a 38 74 00 00 00 00 25 be > but OpenSSL 0.9.7e 25 Oct 2004 print this: > > openssl x509 -in file -noout -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > (Negative)65:c7:8b:ff:ff:ff:ff:da:42 > > > windows cisco and mozilla can handle this SN without any problems. > > > ################ RFC 3280 ############################ > > RFC 3280 Internet X.509 Public Key Infrastructure April 2002 > > > Given the uniqueness requirements above, serial numbers can be > expected to contain long integers. Certificate users MUST be able to > handle serialNumber values up to 20 octets. Conformant CAs MUST NOT > use serialNumber values longer than 20 octets. > > ############################################################### > > > best regards > > > Michael ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
