000019960 - X.509 certificate serial numbers

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019960
Applies ToKeon Certificate Authority 6.0.2
Microsoft Windows 2000 Professional SP2
IssueX.509 certificate serial numbers
An Apache web server fails to correctly identify the signer of a certificate when the certificate serial number has leading zeroes.
CauseThe Apache version 2.x Web Server uses a version of mod_ssl, which is using a comparison mechanism to identify a certificate by its serial number. However, it fails to identify certificates that have leading zeroes.

Using various tools, you can examine a certificate. If you display the certificate in KCA, you see the following:

        Serial No.:         A43043DAB7F6F8AE115E94854EEB6529

Using a Netscape browser or utilities supplied with OpenSSL (or BSAFE SSL-C), the serial number may be displayed as:


Using Microsoft Internet Explorer you can see the following:

        00A4 3043 DAB7 F6F8 AE11 5E94 854E EB65 29

In the X.509 specification, a certificate serial number is defined as INTEGER. This means all of the display formats are valid (because they are displaying an integer converted to a hexadecimal display value), and if you compared any two as integers, they would be considered equivalent.
ResolutionThis problem is not related to RSA Security code and must be resolved by a modification to the serial number comparison routine within the mod_ssl module. Note also that Apache 1.3.x has not been seen to suffer from this problem. For further information please see http://www.apache.org and http://httpd.apache.org.
Legacy Article IDa13411