1

Can two different Root certificates and their intermediate certs have the same serial number?

I issue two root certificates:

Organization: My Example Organization:

My Example Organization Root Certificate Authority (serial number is 00)
----- My Example Organization Intermediate Certificate Authority (serial number is 10)

My Example Organization Secure Root Certificate Authority (serial number is 00)
----- My Example Organization Secure Intermediate Certificate Authority (serial number is 10)

Is the above okay? Or is it really mandatory to use different serial numbers for the certs issued by the same Organization?

This What is the difference between serial number and thumbprint? doesn't mention about the same organization. So, it does not answer my question.

Example person
  • 163
  • 9
  • 1
    From what I understand these are completely independent CA. Having a requirement that independent CA never overlap in serial numbers would mean that they all need to somehow synchronize between each other (globally!!!) or that each one must "reserve" some number space - which is unrealistic. – Steffen Ullrich Feb 06 '21 at 12:01
  • @SteffenUllrich so you mean the above is okay right? – Example person Feb 06 '21 at 12:02
  • That's what I mean. Such a requirement would not be possible to implement and that's why it does not exist. – Steffen Ullrich Feb 06 '21 at 12:03
  • @SteffenUllrich that clears al my doubts. Thank you so much for your time. Post it as answer ?? – Example person Feb 06 '21 at 12:03

1 Answers1

3

From RFC 5280 section 4.1.2.2:

The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).

Thus, the certificate must only be unique regarding the certificates issued by the same CA. Any requirement of being globally unique among all CA's in the world would also be kind of impossible to enforce since there would need to be some form of coordination among CA.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • What is the *issuer name*, is it the Common Name of the issuer, or the organization? – Example person Feb 06 '21 at 13:38
  • 1
    @Chi.C.J.RajeevaLochana: the content of the fields in the issuer DN, see [RFC 5280 section 4.1.2.4](https://tools.ietf.org/html/rfc5280#section-4.1.2.4) – Steffen Ullrich Feb 06 '21 at 15:51
  • Steffen, I mean like if all the Issuer fields are the same, only then it will invalidate recurring serial numbers? – Example person Feb 06 '21 at 16:00
  • @Chi.C.J.RajeevaLochana: "... it will invalidate ..."* - what "it" you are talking about? And there is no way to "invalidate" serial numbers. It is simply that the serial number and issuer name are the anchor to check certificate revocation (both CRL and OCSP). So there is a problem if certificates are issued with the same serial number and issuer name which are then controlled by the same CRL and/or OCSP URL - because it would match multiple issued certificates. – Steffen Ullrich Feb 06 '21 at 16:07
  • `it` means firefox :) It throws out error when there is problem and says it is invalid – Example person Feb 06 '21 at 16:10
  • @Chi.C.J.RajeevaLochana: Firefox might complain if it gets a different certificate from a CA, which has the same serial number as a previously seen certificate from the same CA. Is this what you mean? If yes then this is about the same CA, not different CA and thus not what you were asking in your question. – Steffen Ullrich Feb 06 '21 at 16:15
  • I mean that, if two certificate's issuer fields are the same, then firefox will not work with those... Just confirming – Example person Feb 06 '21 at 16:17
  • @Chi.C.J.RajeevaLochana: Having two different CA with the exactly same DN can also cause other problems, since the DN is also used in certificate validation (at least if no issuer key identifier is given). So just don't. Anyway, all of this is out of the context of your original question where you clearly used different DN. – Steffen Ullrich Feb 06 '21 at 16:33