On Mon, Aug 24, 2015 at 12:54 PM, Boris Lytochkin <[email protected]> wrote: > Log serial number of revoked certificate > In most of situations admin of OpenVPN server needs to know which particular > certificate is used by client.
Cert serial numbers found in the wild are hardly unique (witness the Mozilla CA bundle), thus no one with a sane mind refers to them as identifiers, nor do libraries/apps use them for things like cert pinning, nor should people be encouraged to think they are unique (even though there may now be some spec for that, but history precedes). The only place they'd have meaning is as text string for the local issuer, but it's really just duplication of work. The sha1 (or better) fingerprint of the cert should be used instead.
