SSL Certificate Serial Number Explained: What It Is and Why It Matters
In your GuardSSL scan results, you'll see a Serial Number field displaying a long string of hexadecimal digits. What does this mysterious number mean?
What is a Certificate Serial Number?
A serial number is like a certificate's unique ID—a one-of-a-kind number assigned by the issuing Certificate Authority (CA).
Every certificate issued by a CA has a unique serial number. Just like your government ID number doesn't match anyone else's, a certificate's serial number never repeats within the same CA.
What Does a Serial Number Look Like?
Serial numbers are typically displayed as hexadecimal strings, for example:
04:E3:7F:24:8B:51:C3:A2:90:1C:D8:3F:...
Or without colons:
04E37F248B51C3A2901CD83F...
The length isn't fixed, but modern certificates typically use around 20 bytes (40 hexadecimal characters).
Why Serial Numbers Matter
1. Unique Certificate Identification
CAs need to track all certificates they issue. Serial numbers are essential for:
- Looking up specific certificate information
- Recording certificate issuance history
- Handling customer certificate issues
2. Certificate Revocation
This is the most critical function of serial numbers.
When a certificate needs to be revoked (e.g., private key was compromised), the CA can't retrieve certificates that have already been distributed. Instead, the CA adds the certificate's serial number to a revocation list.
This revocation list comes in two forms:
CRL (Certificate Revocation List): A file containing all revoked certificate serial numbers, periodically downloaded by browsers.
OCSP Response: Real-time query for whether a specific serial number's certificate is revoked.
When browsers verify a certificate, they check: Is this certificate's serial number on the revocation list?
3. Auditing and Compliance
In enterprise and financial environments, serial numbers are used for:
- Audit trails: Who requested what certificate
- Compliance checks: Do certificates meet security policies
- Incident response: Quickly locate problematic certificates
How Serial Numbers Are Generated
CAs use specific rules to generate serial numbers. According to industry standards (RFC 5280):
- Serial numbers must be positive integers
- Must be unique within the same CA
- Cannot exceed 20 bytes in length
Modern practice typically uses random numbers for serial numbers. This has a security benefit: attackers cannot predict the next certificate's serial number, making certain attacks more difficult.
An Interesting History
Early on, some CAs used simple incrementing numbers as serial numbers (1, 2, 3...). This caused problems:
- Attackers could predict serial numbers
- Could infer how many certificates the CA had issued
- Certain attacks exploited serial number predictability
Now industry standards require serial numbers containing at least 64 bits of randomness.
Practical Uses of Serial Numbers
Checking If a Certificate Is Revoked
If you want to manually check whether a certificate is revoked:
- Get the serial number from GuardSSL
- Find the CRL or OCSP address in the certificate
- Query the status of that serial number
In everyday use, browsers do this automatically for you.
Reporting Certificate Issues
If you discover a certificate problem and need to report it to the CA, the serial number is essential. CA tech support will first ask: "What's the certificate serial number?"
With the serial number, they can quickly locate the specific certificate.
Managing Multiple Certificates
When managing multiple domains and certificates, serial numbers help distinguish them:
- The same domain might have multiple certificates (old and new)
- Serial numbers clearly identify which specific certificate
Serial Number vs. Fingerprint: What's the Difference?
| Serial Number | Fingerprint | |
|---|---|---|
| Who generates it | CA assigns at issuance | Anyone can compute it |
| Where stored | Inside the certificate | Not in certificate (computed on demand) |
| Uniqueness scope | Unique within same CA | Globally unique |
| Primary use | CA management, revocation | Identification, integrity verification |
In short:
- Serial Number is the "official ID" assigned by the CA
- Fingerprint is a "digital digest" of certificate contents
Key Takeaways
- Serial numbers are unique identifiers assigned by CAs to each certificate
- Primarily used for certificate management and revocation mechanisms
- Modern serial numbers use random generation for added security
- Each serial number is unique within a CA but might repeat across different CAs
- When dealing with certificate issues, serial numbers are essential for identification
Understanding serial numbers helps you better grasp certificate lifecycle management.
Check Your SSL Certificate Now
Want to see these certificate details for your own website? Use our free SSL checker to instantly analyze your certificate's security, validity, and configuration.
No registration required • Instant results • 100% free