19

What is the significance of set_serial option while generating client certificate.

# client certificate creation
openssl genrsa -out client1.key 1024
openssl genrsa -out client2.key 1024
openssl req -new -key client1.key -out client1.csr
openssl req -new -key client2.key -out client2.csr
openssl x509 -req -days 365 -in client1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client1.crt
openssl x509 -req -days 365 -in client2.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client2.crt

I used same serial number 01 for all client certificates. Is there any issue when revoke a specific client certificate ?

yalamandala venkateswarlu
  • 361
  • 2
  • 8

3 Answers3

5

The serial number becomes part of the certificate and can be used by the certificate authority to ID the signed certificates.

Ray Hulha
  • 10,701
  • 5
  • 53
  • 53
5

Each certificate is uniquely identified by a serial number and so needed when generating the certificate. When issuing a certificate, CA has to make sure that the serial number is unique and not reused.

When a certificate is revoked/expired, a new certificate is issued, only difference between the old and new certificate will be just the serial number. Since no other data in the certificate can uniquely identify a certificate within a CA, serial number is needed. There can be two certificates for the same site/domain with only difference being the serial number. Serial number uniquely identifies a certificate within the CA.

Jay Rajput
  • 1,813
  • 17
  • 23
5

CA/Browser forum recommends not to use subsequent serial numbers in TLS certificates anymore:

Effective September 30, 2016, CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG

So you can use the new -rand_serial option, recently added to openssl.

And if that option is not available, you can use the workaround:

openssl x509 ... -set_serial "0x`openssl rand -hex 8`"
Alexander Farber
  • 21,519
  • 75
  • 241
  • 416