Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: CreateCertificate creates invalid serial number field #33310
What version of Go are you using (
What you are observing is a quirk of ASN.1 encoding. Numbers that start with a byte higher than 127 are negative numbers, so a sequence of 20
This means that the highest serial number you can fit in 20 bytes is
The reason for adding a 0 makes sense, but given that some software (in my case, Mozilla's NSS library) fails to read certificates with more than 20 serial number bytes, one option is to not add the 0 if it results in 21 total bytes. The RFC says
so leaving a negative serial number is not ideal, but software should be prepared to handle that situation.