¿Es el número de serie una clave única para el certificado X509?

Is certificate serial number a unique key for X509 certificate? User selects a certificate, and program stores serial number in preferences. Will the following code return the selected certificate?

public static X509Certificate2 GetCertificateBySerialNumber(string serialNumber)
{
    X509Certificate2 selectedCertificate = null;
    X509Store store = null;
    try
    {
        // get certificate from the store "My", "CurrentUser"
        store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
        X509Certificate2Collection allCertificates = (X509Certificate2Collection)store.Certificates;
        X509Certificate2Collection foundCertificates = (X509Certificate2Collection)allCertificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);

        // select the first certificate in collection
        foreach (X509Certificate2 certificate in foundCertificates)
        {
            selectedCertificate = certificate;
            break;
        }
    }
    finally
    {
        if (store != null)
        {
            store.Close();
        }
    }

    return selectedCertificate;
}

UPDATE: I ended up using certificate thumbprint, as suggested by jglouie.

preguntado el 01 de febrero de 12 a las 22:02

4 Respuestas

No. For example, OpenSSL let's the user set this when they create certificates.

Ver: http://www.openssl.org/docs/apps/x509.html

-set_serial n specifies the serial number to use. This option can be used with either the -signkey or -CA options. If used in conjunction with the -CA option the serial number file (as specified by the -CAserial or -CAcreateserial options) is not used.

The serial number can be decimal or hex (if preceded by 0x). Negative serial numbers can also be specified but their use is not recommended.

Respondido 02 Feb 12, 02:02

As mentioned in another answer, the serial number must be unique within the CA. So serial number alone can't be used as a unique ID of the certificate -- certificates from different CAs can have the same serial number. You need to store combination of Issuer and SerialNumber properties. Also, for self-signed certificates and home-made CA software numbers will most likely collide as many people will start numbering from 0.

Respondido 03 ago 12, 23:08

+1. Or have no clue what a serial number is supposed to be so they set 0 all the time ;) - TomTom

I will say I have found different certificates from the same CA with the same serial number. Shouldn't happen, but it does. - W3t Tr3y

@W3tTr3y Do they share the identical IssuerName? Yes, we also came across the certificates issued by CAs with incorrectly configured numbering, but there we saw an obvious configuration problem. - Devolución de llamada de Eugene Mayevski

Yes they are an identical IssuerName. I guess I don't understand then question since you go on to say "we also came across the certificates issued by CAs with incorrectly configured numbering" which would imply that you have seen this exact issue. - W3t Tr3y

@W3tTr3y I am saying that we also came across the problem, but that was an operator mistake during configuring the CA. It is not a normal practice, nor it is allowed by the standards. - Devolución de llamada de Eugene Mayevski

TL; DR: You must use a composite key of issuer name + serial number. If you need a simple key, use certificate's thumbprint.


Quoting @ThomasPornin from security.stackexchange:

En una certificado,la número de serie is chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is Supuesto to choose unique serial numbers, that is, unique for the CA. You cannot count on a serial number being unique worldwide; in the dream world of X.509, it is the pair issuerDN+serial which is unique worldwide (each CA having its own unique distinguished name, and taking care not to reuse serial numbers).

La impresión del pulgar is a hash value computed over the complete certificate, which includes all its fields, including the signature. That one is unique worldwide, for a given certificate, up to the inherent collision resistance of the used hash function. Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known, but no actual collision has been produced (yet).

De: https://security.stackexchange.com/questions/35691/what-is-the-difference-between-serial-number-and-thumbprint

respondido 17 mar '17, 13:03

Si segun X.509 specification serial number is unique for specific CA:

4.1.2.2 Serial number

The serial number is an integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).

respondido 30 mar '14, 22:03

Serial number alone won't identify the certificate uniquely, as certificates from different CAs can have the same serial number. - Devolución de llamada de Eugene Mayevski

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.