pzb
commented
7 years ago Good call. I think the solution is to do something like: OpenSSL::ASN1::Integer.new(c.serial).to_der.bytesize and make sure that is <= 22 (20 octets plus one byte type and one byte size)
https://crt.sh/?id=137592758&opt=cablint ...has a serial number of length 21 octets. The first octet is 00 to ensure that the INTEGER is positive.
certlint currently does this... https://github.com/awslabs/certlint/blob/master/lib/certlint/certlint.rb#L365 ...which ignores a leading 00 octet. Therefore, it calculates the above certificate's serial number length to be 20 octets.
RFC5280 4.1.2.2 says:
Conforming CAs MUST NOT use serialNumber values longer than 20 octets.I think the intent is that leading 00 octets should be counted. i.e., the above certificate should receive the "E: Serial numbers must be 20 octets or less" error.