What is the significance of set_serial option while generating client certificate?

Question

What is the significance of set_serial option while generating client certificate.

# client certificate creation
openssl genrsa -out client1.key 1024
openssl genrsa -out client2.key 1024
openssl req -new -key client1.key -out client1.csr
openssl req -new -key client2.key -out client2.csr
openssl x509 -req -days 365 -in client1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client1.crt
openssl x509 -req -days 365 -in client2.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client2.crt

I used same serial number 01 for all client certificates. Is there any issue when revoke a specific client certificate ?

Answer 1

Since summer 2021 it is recommended not to use subsequent serial numbers

So you can use the new -rand_serial option, recently added to openssl.

And if that option is not available, you can use the workaround:

openssl x509 ... -set_serial "0x`openssl rand -hex 8`"

Answer 2

Each certificate is uniquely identified by a serial number and so needed when generating the certificate. When issuing a certificate, CA has to make sure that the serial number is unique and not reused.

When a certificate is revoked/expired, a new certificate is issued, only difference between the old and new certificate will be just the serial number. Since no other data in the certificate can uniquely identify a certificate within a CA, serial number is needed. There can be two certificates for the same site/domain with only difference being the serial number. Serial number uniquely identifies a certificate within the CA.

Answer 3

The serial number becomes part of the certificate and can be used by the certificate authority to ID the signed certificates.