Recommended CA settings for Serial Number of issued X.509 certificates #656
-
Hi, EJBCA 7.5.01 allows CAs to issue 20 Octets serial number by default. What is the recommended serial number size? Also, in older version of EJBCA the default serial number size was 8 Octets. On upgraded EJBCA version older CAs are having still 8 Octets as serial number is there any security risk about that? Only new CA by default can issue certificate with 20 Octet serial number on an upgraded version of EJBCA. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
There is no security risk using 8 byte serial number. It is perfectly fine unless you run a Public Web PKI (selling public TLS certificates), when you are bound by the CA/B Forum Baseline Requirements. I think this is your internal CA, in which case it is fine, and perfectly secure. On an existing CA you can edit "Serial Number Octet Size" in Edit CA. |
Beta Was this translation helpful? Give feedback.
Sure you can increase it to more than 8. What is recommended really depend on your policy and use case. For some use cases (IoT) small serial numbers are used. But for most enterprise use cases 12-20 bytes is the "normal". 20 is the max. For a new internal Enterprise CA, I would use the default, as set for new CAs in EJBCA, which I believe is 20.