Certificate Serial Number Explained

The certificate serial number is an integer assigned by the Certificate Authority at issuance. It uniquely identifies a certificate within the scope of that CA. Combined with the issuer distinguished name, a serial number uniquely identifies any certificate in the PKI ecosystem.

Serial Number Format

The serial number is an ASN.1 INTEGER, which means it can be arbitrarily large. It's typically displayed as a hexadecimal string. In the decoder output, you'll see it formatted as something like 0e:83:a3:f7:0f:b5:16:23:27:15:07:cb.

The CA/Browser Forum's Baseline Requirements require that serial numbers be at least 64 bits of cryptographically random data (with a leading zero bit to keep it positive). This prevents serial number prediction and collision attacks.

How Serial Numbers Are Used

Serial numbers are the primary key in certificate revocation lists (CRLs). When a CA revokes a certificate, it publishes the serial number in its CRL and OCSP records. A browser or TLS client checks whether the certificate's serial number appears in the CA's revocation data before trusting it.

Serial Number and Certificate Identity

The serial number is unique per issuing CA, not globally unique. Two different CAs can issue certificates with the same serial number integer without conflict. The combination of (Issuer DN, Serial Number) is what uniquely identifies a certificate in the global PKI.

Finding the Serial Number in the Decoder

The serial number appears in the Validity Period section of the decoded output. It's displayed in hexadecimal format, which is the standard representation you'll see in other certificate tools, browsers, and openssl output (openssl x509 -in cert.pem -noout -serial).