33

Is certificate serial number a unique key for X509 certificate? User selects a certificate, and program stores serial number in preferences. Will the following code return the selected certificate?

public static X509Certificate2 GetCertificateBySerialNumber(string serialNumber)
{
    X509Certificate2 selectedCertificate = null;
    X509Store store = null;
    try
    {
        // get certificate from the store "My", "CurrentUser"
        store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
        X509Certificate2Collection allCertificates = (X509Certificate2Collection)store.Certificates;
        X509Certificate2Collection foundCertificates = (X509Certificate2Collection)allCertificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);

        // select the first certificate in collection
        foreach (X509Certificate2 certificate in foundCertificates)
        {
            selectedCertificate = certificate;
            break;
        }
    }
    finally
    {
        if (store != null)
        {
            store.Close();
        }
    }

    return selectedCertificate;
}

UPDATE: I ended up using certificate thumbprint, as suggested by jglouie.

davmos
  • 9,324
  • 4
  • 40
  • 43
isobretatel
  • 3,812
  • 7
  • 34
  • 49

4 Answers4

21

No. For example, OpenSSL let's the user set this when they create certificates.

See: http://www.openssl.org/docs/apps/x509.html

-set_serial n specifies the serial number to use. This option can be used with either the -signkey or -CA options. If used in conjunction with the -CA option the serial number file (as specified by the -CAserial or -CAcreateserial options) is not used.

The serial number can be decimal or hex (if preceded by 0x). Negative serial numbers can also be specified but their use is not recommended.

jglouie
  • 12,523
  • 6
  • 48
  • 65
17

TL;DR: You must use a composite key of issuer name + serial number. If you need a simple key, use certificate's thumbprint.

Quoting @ThomasPornin from security.stackexchange:

In a certificate, the serial number is chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is supposed to choose unique serial numbers, that is, unique for the CA. You cannot count on a serial number being unique worldwide; in the dream world of X.509, it is the pair issuerDN+serial which is unique worldwide (each CA having its own unique distinguished name, and taking care not to reuse serial numbers).

The thumbprint is a hash value computed over the complete certificate, which includes all its fields, including the signature. That one is unique worldwide, for a given certificate, up to the inherent collision resistance of the used hash function. Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known, but no actual collision has been produced (yet).

From: https://security.stackexchange.com/questions/35691/what-is-the-difference-between-serial-number-and-thumbprint

Community
  • 1
  • 1
Dinei
  • 4,494
  • 4
  • 36
  • 60
  • How the thumbprint gets unique over CAs worldwide? MS says thumbprint is not unique always. https://www.microsoft.com/en-us/research/publication/are-certificate-thumbprints-unique/#:~:text=A%20certificate%20thumbprint%20is%20a,files%2C%20and%20displayed%20in%20interfaces. – kujiy Jun 07 '22 at 06:30
  • 1
    Abstract of the paper you linked: "We also checked the thumbprints of a large dataset of certificates used on the Internet, and found no evidence that would indicate thumbprints of certificates in use today are not unique." – Dinei Jun 07 '22 at 14:50
15

As mentioned in another answer, the serial number must be unique within the CA. So serial number alone can't be used as a unique ID of the certificate -- certificates from different CAs can have the same serial number. You need to store combination of Issuer and SerialNumber properties. Also, for self-signed certificates and home-made CA software numbers will most likely collide as many people will start numbering from 0.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • 5
    +1. Or have no clue what a serial number is supposed to be so they set 0 all the time ;) – TomTom Mar 30 '14 at 18:50
  • 1
    I will say I have found different certificates from the same CA with the same serial number. Shouldn't happen, but it does. – W3t Tr3y Jan 23 '20 at 16:37
  • @W3tTr3y Do they share the identical IssuerName? Yes, we also came across the certificates issued by CAs with incorrectly configured numbering, but there we saw an obvious configuration problem. – Eugene Mayevski 'Callback Jan 24 '20 at 22:14
  • Yes they are an identical IssuerName. I guess I don't understand then question since you go on to say "we also came across the certificates issued by CAs with incorrectly configured numbering" which would imply that you have seen this exact issue. – W3t Tr3y Feb 03 '20 at 20:25
  • @W3tTr3y I am saying that we also came across the problem, but that was an operator mistake during configuring the CA. It is not a normal practice, nor it is allowed by the standards. – Eugene Mayevski 'Callback Feb 04 '20 at 10:38
11

Yes, according to X.509 specification serial number is unique for specific CA:

4.1.2.2 Serial number

The serial number is an integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).

Oybek
  • 7,016
  • 5
  • 29
  • 49
alexkasko
  • 4,855
  • 1
  • 26
  • 31