[gnutls-help] certtool: Serial number only 31 bit?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jan 2 18:59:38 CET 2015

[ sorry, digging up an old thread as i happen to be thinking about the
  issue today ]

On Thu 2014-05-15 07:49:14 -0400, Nikos Mavrogiannopoulos wrote:
> On Thu, May 15, 2014 at 12:08 PM, Josef Wolf <jw at raven.inka.de> wrote:
>> Hello,
>> I am currently trying to use UUIDs (as Bignum) for the serial number of
>> certificates. AFAIK, the RFC 5280 allows up to 20 octets. But I have a hard
>> time to specify more than 31 bits in the template file.
>> With a prefix of 0x (indicating hex number), I get serial number 0. Ough!
>> Given as a decimal number, the number is truncated to 0x7fffffff.
>> Is this a limitation in certtool or am I missing something?
> It was a limitation. Support for up to 63-bit serial numbers was added in 3.3.0.

If the value received from the user for the serial number exceeds 63
bits, should GnuTLS throw an error rather than truncate?  I worry that
silently proceeding with a truncation seems likely to cause people using
certtool to issue multiple certificates with serial numbers of

It seems like an error and a failure would be better than truncation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150102/603aa36b/attachment.sig>

More information about the Gnutls-help mailing list