Search code examples
opensslx509

openssl ignores Serial number extension

Good day! I created a certificate request with such result :

-----BEGIN CERTIFICATE REQUEST-----
MIICszCCAZsCAQAwKzEKMAgGA1UEChMBczEQMA4GA1UECxMHb3JnVW5pdDELMAkG
A1UEAxMCY24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4p/WHGkLZ
DGuUenb8e+FtwimfPQvAGJU4IwVKgjjk3cqqdED2PgyeSKQEehyWdnEaGaKdDQ72
unsPfOeRYAbzhEeKNM0qH/jx5gC5CO0/lq58UQOtBg4GXMLCMel+QIofBb1UGbLo
KviHLR02jfqYrUf72GY83JrhUGlzAJEl6upDvuZalp5qXql9ge8ylfGx/iOUYPk7
/gvfTOLDQmDKcUQ9nW8H9U+cl82lcsBMv7V4XCoG16GfEIziLyFHtLwvAwvGE2md
IEnoMwhY0cUxp/c8bzL0hvNvMDy1lNBJ14wohdTh95/Guf46d8DtWc7e1Nrb+biT
HxWsftA4WEQdAgMBAAGgQzBBBgkqhkiG9w0BCQ4xNDAyMDAGA1UEBQQpVURJRDow
MDAwMDAwMC03YTBlLTkyNTUtZmZmZi1mZmZmYmY4ZmYyZDUwDQYJKoZIhvcNAQEL
BQADggEBAEm8HXmmxZ7B6Omcezuhle1Xz/9Iiaet2SnkSwm0dVmZXzyamWFHSls+
1biMtZb3Ath0TeDQ7kUh40SyFBKOTSWD8EhbgsMrys0ALUOJ16r2mGXbVdnoc/52
dm8jKXSqB/tKa4AXDQJkR6GNJtNu3k4XHSz25felkZosqGHdPmnQGiPDpJsFenxm
yD+nYTUrzrMM4FrBKLDex4mT0raFEkxN52wIwQ+UtI84OfxebztKSr+WCeafCKnV
idQrTBcM5zMdAPSgKIdh2kFOr3WdXgLonQiQ8GVleBdFGy0aw1LRVZ3+XsIrnEx2
L1dRm4u70iXtUwYw5tSaK6KNT7SJo00=
-----END CERTIFICATE REQUEST-----

in two words - it says :

cn
Certificate request

Public Key Info
Key Algorithm:  RSA
Key Parameters: 05 00
Key Size:   2048
Key SHA1 Fingerprint:   E4 .. E9 49 A3 D3

Public Key: 30 82 01 0A 02 82 01 01 ... 03 01 00 01

Now the most important :

Extension
Identifier: Serial Number
Value:  55 44 49 44 3A 30 30 30 30 30 30 30 30 2D 37 61 30 65 2D 39 32     35 35 2D 66 66 66 66 2D 66 66 66 66 62 66 38 66 66 32 64 35
Critical:   No

I want THIS Extension serial number to be in my future certificate. But when I do something like 

openssl x509 -req -in ../req.req -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out user.crt -days 5000 -extensions v3_usr -CAcreateserial

I don't get my extension in result user.cer. What do I do wrong?

Solution

  • I suspect that there are several issues.

    First of all, your extension value is incorrectly formed. It misses nested ASN.1 type identifier for extnValue field. According to RFC5280, X.509 Extension is:

    Extension  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   OCTET STRING
                 -- contains the DER encoding of an ASN.1 value
                 -- corresponding to the extension type identified
                 -- by extnID
     }

    Under extnValue (which is OCTET_STRING) you should put nested type (I don't know exact syntax for Serial Number extension). It can be SEQUENCE, another OCTET_STRING, or INTEGER (since serial numbers are integers).

    However, your nested type is missing: enter image description here there should be another nested node under selected OCTET_STRING, while, you placed serial number directly as extnValue payload.

    If this extension is intended to instruct CA to place specified serial number in the certificate (as a FIELD), then you violate another requirement:

    §4.1.2.2

    Certificate users MUST be able to handle serialNumber values up to 20 octets. Conforming CAs MUST NOT use serialNumber values longer than 20 octets.

    Your serial number looks like is a bit longer than 20 octets. In addition, you may violate first part of this section:

    It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).

    That is, if user asks for specific serial number, it may lead to serial number non-uniqueness.

    Edit: According to Ilya Matveychikov, nested type shall be PrintableString. This means that your extension value should be:

    13 2B 55 44 49 44 3A 30  30 30 30 30 30 30 30 2D
37 61 30 65 2D 39 32 35  35 2D 66 66 66 66 2D 66
66 66 66 62 66 38 66 66  32 64 35

    when encoded, it will look as follows: enter image description here