我注意到,openssl x509 -in $FILE -text
有时会显示X.509 证书的序列号(一个最多 20 字节的正整数,因此最高有效位为 0),有时会显示为“八位字节字符串”,有时会显示为整数,后面跟着十六进制表示形式。
例如,这是“Letsencrypt”链中证书的序列号(16 字节序列号,但 MSB 为 1,有什么问题吗?):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
这是来自系统“证书包”的证书(8 字节序列号,MSB 为 0)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6828503384748696800 (0x5ec3b7a6437fa4e0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES
来自同一捆绑包的另一个(16 字节序列号,MSB 为 0):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
证书QuoVadis Root CA 2
(2字节序列号):
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1289 (0x509)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
这是一个具有 9 字节序列号的序列号(MSB 正确为 0):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:00:34:b6:4e:c6:36:2d:36
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=RO, O=CERTSIGN SA, OU=certSIGN ROOT CA G2
另一个来自同一提供商的证书带有 6 字节序列号:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 35210227249154 (0x200605167002)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=RO, O=certSIGN, OU=certSIGN ROOT CA
看起来有点随机。打印序列号有两种方式有什么特殊意义吗?