Maximum number of certificates generated by a CA












2















What is the maximum number of certificates that can be generated from a CA?



The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique certificates that I can issue.










share|improve this question













migrated from crypto.stackexchange.com 4 hours ago


This question came from our site for software developers, mathematicians and others interested in cryptography.























    2















    What is the maximum number of certificates that can be generated from a CA?



    The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique certificates that I can issue.










    share|improve this question













    migrated from crypto.stackexchange.com 4 hours ago


    This question came from our site for software developers, mathematicians and others interested in cryptography.





















      2












      2








      2








      What is the maximum number of certificates that can be generated from a CA?



      The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique certificates that I can issue.










      share|improve this question














      What is the maximum number of certificates that can be generated from a CA?



      The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique certificates that I can issue.







      certificates public-key-infrastructure ipsec






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 5 hours ago









      felartufelartu

      132




      132




      migrated from crypto.stackexchange.com 4 hours ago


      This question came from our site for software developers, mathematicians and others interested in cryptography.









      migrated from crypto.stackexchange.com 4 hours ago


      This question came from our site for software developers, mathematicians and others interested in cryptography.
























          2 Answers
          2






          active

          oldest

          votes


















          4














          RFC 5280 states that "Certificate users MUST be able to
          handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
          use serialNumber values longer than 20 octets."
          Of course one doesn't have to conform...



          Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...






          share|improve this answer

































            0















            What is the maximum number of certificates that can be generated from a CA?




            There is no theoretical limit really.



            A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).



            Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.



            And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)






            share|improve this answer
























            • Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...

              – Maarten Bodewes
              4 hours ago











            • Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/

              – DarkMatter
              3 hours ago











            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "162"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202686%2fmaximum-number-of-certificates-generated-by-a-ca%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            RFC 5280 states that "Certificate users MUST be able to
            handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
            use serialNumber values longer than 20 octets."
            Of course one doesn't have to conform...



            Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...






            share|improve this answer






























              4














              RFC 5280 states that "Certificate users MUST be able to
              handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
              use serialNumber values longer than 20 octets."
              Of course one doesn't have to conform...



              Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...






              share|improve this answer




























                4












                4








                4







                RFC 5280 states that "Certificate users MUST be able to
                handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
                use serialNumber values longer than 20 octets."
                Of course one doesn't have to conform...



                Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...






                share|improve this answer















                RFC 5280 states that "Certificate users MUST be able to
                handle serialNumber values up to 20 octets. Conforming CAs MUST NOT
                use serialNumber values longer than 20 octets."
                Of course one doesn't have to conform...



                Edit: an octet is 8 bits so if you have 20 octets that's 160 bits...for binary we have base 2 bits => 2^160 = 1.4615016e+48 AKA a really really big number...







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 4 hours ago

























                answered 4 hours ago









                DarkMatterDarkMatter

                1,302114




                1,302114

























                    0















                    What is the maximum number of certificates that can be generated from a CA?




                    There is no theoretical limit really.



                    A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).



                    Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.



                    And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)






                    share|improve this answer
























                    • Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...

                      – Maarten Bodewes
                      4 hours ago











                    • Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/

                      – DarkMatter
                      3 hours ago
















                    0















                    What is the maximum number of certificates that can be generated from a CA?




                    There is no theoretical limit really.



                    A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).



                    Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.



                    And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)






                    share|improve this answer
























                    • Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...

                      – Maarten Bodewes
                      4 hours ago











                    • Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/

                      – DarkMatter
                      3 hours ago














                    0












                    0








                    0








                    What is the maximum number of certificates that can be generated from a CA?




                    There is no theoretical limit really.



                    A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).



                    Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.



                    And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)






                    share|improve this answer














                    What is the maximum number of certificates that can be generated from a CA?




                    There is no theoretical limit really.



                    A private key can be used to generate an almost infinite amount of signatures. Furthermore, the certificate must be unique for each issuer / serial pair. However, with a serial number consisting of a maximum of 20 bytes, the amount of unique pairs is near infinite, even if the serial number is randomly generated (which is less common in itself, commonly it is a counter encoded as a statically sized, big integer, positive number).



                    Of course, there must be some way of checking if the request for the certificate itself can be trusted. For TLS protected sites this commonly involves checking that the site name really belongs to the requester, but this may be more tricky if IP or IP ranges are targeted. Furthermore, I guess that CRL's and / or databases to keep certificate status through OCSP are not unlimited. So there may certainly be more practical limits to what a CA can do.



                    And finally, if you obtain the CA software from a commercial party you may want to make sure you don't run out of money when generating a whole bunch of certificates :)







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 4 hours ago









                    Maarten BodewesMaarten Bodewes

                    3,4291122




                    3,4291122













                    • Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...

                      – Maarten Bodewes
                      4 hours ago











                    • Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/

                      – DarkMatter
                      3 hours ago



















                    • Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...

                      – Maarten Bodewes
                      4 hours ago











                    • Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/

                      – DarkMatter
                      3 hours ago

















                    Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...

                    – Maarten Bodewes
                    4 hours ago





                    Ah, now my answer was 3/4th done before DarkMatter updated his answer. Oh well, posted it anyway...

                    – Maarten Bodewes
                    4 hours ago













                    Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/

                    – DarkMatter
                    3 hours ago





                    Sorry :) I updated it in response to your comment. After I saw the comment disappear I figured you were typing up your own answer but I had already submitted the edit at that point :/

                    – DarkMatter
                    3 hours ago


















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f202686%2fmaximum-number-of-certificates-generated-by-a-ca%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Loup dans la culture

                    How to solve the problem of ntp “Unable to contact time server” from KDE?

                    ASUS Zenbook UX433/UX333 — Configure Touchpad-embedded numpad on Linux