Minimum and maximum length of X509 serialNumber

Question

The CA/Browser Forum Baseline Requirements section 7.1 states the following:

CAs SHOULD generate non‐sequential Certificate serial numbers that exhibit at least 20 bits of entropy.

At the mean time, RFC 5280 section 4.1.2.2 specifies:

Certificate users MUST be able to handle serialNumber values up to 20 octets. Conforming CAs MUST NOT use serialNumber values longer than 20 octets.

Which integer range can I use in order to fullfill both requirements. It is my understanding that the max. value will be 2^159 (730750818665451459101842416358141509827966271488). What is the min. value?

Answer 1

The CAB requirement has changed to minimum of 64 bit entropy. Since the leading bit in the representation for positive integers must be 0 there are a number of strategies:

• produce random bit string with 64 bits. If leading bit is 1 then prepend 7 more random bits. This has the disadvantage that it is not obvious if the generation considered 63 or 64 bits
• produce random bit string with 64 bits and add leading 0 byte. This is still compact (wastes only 7-8 bit) but is obvious that it has 64 bit entropy
• produce a random string longer than 64 bit, for example 71 or 127 bit (+leading 0 bit). 16 byte seems to be a common length and well under the 20 byte limit.

BTW since it is unclear if the 20 byte maximum length includes a potential 0 prefix for interop reasons you should not generate more than 159 bit

A random integer with x bit entropy can be produced with generating a random number between 0 and (2^x)-1 (inclusive)