Maximum number of certificates generated by a CA
What is the maximum number of certificates that can be generated from a CA?
The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique certificates that I can issue.
certificates public-key-infrastructure ipsec
migrated from crypto.stackexchange.com 4 hours ago
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
What is the maximum number of certificates that can be generated from a CA?
The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique certificates that I can issue.
certificates public-key-infrastructure ipsec
migrated from crypto.stackexchange.com 4 hours ago
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
What is the maximum number of certificates that can be generated from a CA?
The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique certificates that I can issue.
certificates public-key-infrastructure ipsec
What is the maximum number of certificates that can be generated from a CA?
The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique certificates that I can issue.
certificates public-key-infrastructure ipsec
certificates public-key-infrastructure ipsec
asked 5 hours ago
felartufelartu
132
132
migrated from crypto.stackexchange.com 4 hours ago
This question came from our site for software developers, mathematicians and others interested in cryptography.
migrated from crypto.stackexchange.com 4 hours ago
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
RFC 5280 states that "Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
use serialNumber values longer than 20 octets."
Of course one doesn't have to conform...
Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...
add a comment |
What is the maximum number of certificates that can be generated from a CA?
There is no theoretical limit really.
A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).
Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.
And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)
Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...
– Maarten Bodewes
4 hours ago
Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/
– DarkMatter
3 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202686%2fmaximum-number-of-certificates-generated-by-a-ca%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
RFC 5280 states that "Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
use serialNumber values longer than 20 octets."
Of course one doesn't have to conform...
Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...
add a comment |
RFC 5280 states that "Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
use serialNumber values longer than 20 octets."
Of course one doesn't have to conform...
Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...
add a comment |
RFC 5280 states that "Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
use serialNumber values longer than 20 octets."
Of course one doesn't have to conform...
Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...
RFC 5280 states that "Certificate users MUST be able to
handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
use serialNumber values longer than 20 octets."
Of course one doesn't have to conform...
Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...
edited 4 hours ago
answered 4 hours ago
DarkMatterDarkMatter
1,302114
1,302114
add a comment |
add a comment |
What is the maximum number of certificates that can be generated from a CA?
There is no theoretical limit really.
A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).
Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.
And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)
Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...
– Maarten Bodewes
4 hours ago
Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/
– DarkMatter
3 hours ago
add a comment |
What is the maximum number of certificates that can be generated from a CA?
There is no theoretical limit really.
A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).
Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.
And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)
Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...
– Maarten Bodewes
4 hours ago
Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/
– DarkMatter
3 hours ago
add a comment |
What is the maximum number of certificates that can be generated from a CA?
There is no theoretical limit really.
A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).
Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.
And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)
What is the maximum number of certificates that can be generated from a CA?
There is no theoretical limit really.
A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).
Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.
And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)
answered 4 hours ago
Maarten BodewesMaarten Bodewes
3,4291122
3,4291122
Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...
– Maarten Bodewes
4 hours ago
Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/
– DarkMatter
3 hours ago
add a comment |
Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...
– Maarten Bodewes
4 hours ago
Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/
– DarkMatter
3 hours ago
Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...
– Maarten Bodewes
4 hours ago
Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...
– Maarten Bodewes
4 hours ago
Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/
– DarkMatter
3 hours ago
Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/
– DarkMatter
3 hours ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202686%2fmaximum-number-of-certificates-generated-by-a-ca%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown