UUID based Random Certificate Serial Numbers - dogtagpki/pki GitHub Wiki

Overview

Note
This proposal has not been implemented.

This proposal introduces a new mechanism for generating random certificate serial number based on UUID or a purely random number. UUID is a 128-bit number defined in RFC 4122. The UUID is practically guaranteed to be unique globally without relying on a shared database or communication between replicas. It has approximately 120 bits of random entropy.

UUID Version 4

Java provides a UUIDv4 implementation which can be generated as follows:

UUID serialNumber = UUID.randomUUID();

Internally, the UUID will be generated using Java SecureRandom class. If Java is configured with JSS security provider, the UUID will eventually be generated by NSS pkcs11prng.

See also:

UUID Version 5

A Java implementation of UUID version 5 is described in this page.

UUID Version 6

UUID version 6 is proposed in this page.

Serial Number Prefix

A numeric prefix could be assigned to different serial number versions.

  • 00 could be grandfathered as incremental serial numbers.

  • 01 could be grandfathered (and modified) as Random Certificate Serial Numbers v1 proposal.

  • 03 could be assigned to this proposal.

This could be prepended in front of the random number discussed above. This would take a single byte, on top of the 128-bit UUID or random value, for a total of 17 bytes out of a 20-byte field.

⚠️ **GitHub.com Fallback** ⚠️