Certificate serial and thumbprint number spacing
We have a Microsoft PKI setup at our organization. As per just about all certificates I've ever seen, new certificates issued by our issuing CAs will put the serial number and thumbprint in a HEX format with each byte separated by a space. Recently we had an HSM upgrade, no real changes made to our CAs aside from getting them setup with the HSM. Now all new certificates are being issued with serial numbers and thumbprints, still in HEX (I see letters), but no spaces anymore.
Could this be something the HSM is doing (its a Thales device)?
Is there some place in a Microsoft PKI to change the formatting of these numbers?
Should I even care?
I know how an application uses a certificate serial/thumbprint number is specific to that application. Some require you take out the spaces and some don't. But some applications read it directly from the cert store and I wonder if the atypical format would mess them up. Are there any known issues with having the certificates issued in this format?
At the moment we haven't had any reported issues. Smart card AuthN and our SCCM workstation certs seems to be working just fine with the new certs.
I would assume the serial number and thumbprint are stored in some fixed number of bytes in the file and thus this formatting was purely a result of whatever viewer I'm using. At first I thought this may just be something new with the Windows certificate viewer and Windows 10 1809, but older certificates are still displayed with the spaces, so it doesn't appear to be the viewer that changed and I have to assume it is something with the format of the certificate file.
certificates public-key-infrastructure certificate-authority
add a comment |
We have a Microsoft PKI setup at our organization. As per just about all certificates I've ever seen, new certificates issued by our issuing CAs will put the serial number and thumbprint in a HEX format with each byte separated by a space. Recently we had an HSM upgrade, no real changes made to our CAs aside from getting them setup with the HSM. Now all new certificates are being issued with serial numbers and thumbprints, still in HEX (I see letters), but no spaces anymore.
Could this be something the HSM is doing (its a Thales device)?
Is there some place in a Microsoft PKI to change the formatting of these numbers?
Should I even care?
I know how an application uses a certificate serial/thumbprint number is specific to that application. Some require you take out the spaces and some don't. But some applications read it directly from the cert store and I wonder if the atypical format would mess them up. Are there any known issues with having the certificates issued in this format?
At the moment we haven't had any reported issues. Smart card AuthN and our SCCM workstation certs seems to be working just fine with the new certs.
I would assume the serial number and thumbprint are stored in some fixed number of bytes in the file and thus this formatting was purely a result of whatever viewer I'm using. At first I thought this may just be something new with the Windows certificate viewer and Windows 10 1809, but older certificates are still displayed with the spaces, so it doesn't appear to be the viewer that changed and I have to assume it is something with the format of the certificate file.
certificates public-key-infrastructure certificate-authority
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
Dec 13 '18 at 21:09
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
Dec 13 '18 at 21:30
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
Dec 13 '18 at 21:36
add a comment |
We have a Microsoft PKI setup at our organization. As per just about all certificates I've ever seen, new certificates issued by our issuing CAs will put the serial number and thumbprint in a HEX format with each byte separated by a space. Recently we had an HSM upgrade, no real changes made to our CAs aside from getting them setup with the HSM. Now all new certificates are being issued with serial numbers and thumbprints, still in HEX (I see letters), but no spaces anymore.
Could this be something the HSM is doing (its a Thales device)?
Is there some place in a Microsoft PKI to change the formatting of these numbers?
Should I even care?
I know how an application uses a certificate serial/thumbprint number is specific to that application. Some require you take out the spaces and some don't. But some applications read it directly from the cert store and I wonder if the atypical format would mess them up. Are there any known issues with having the certificates issued in this format?
At the moment we haven't had any reported issues. Smart card AuthN and our SCCM workstation certs seems to be working just fine with the new certs.
I would assume the serial number and thumbprint are stored in some fixed number of bytes in the file and thus this formatting was purely a result of whatever viewer I'm using. At first I thought this may just be something new with the Windows certificate viewer and Windows 10 1809, but older certificates are still displayed with the spaces, so it doesn't appear to be the viewer that changed and I have to assume it is something with the format of the certificate file.
certificates public-key-infrastructure certificate-authority
We have a Microsoft PKI setup at our organization. As per just about all certificates I've ever seen, new certificates issued by our issuing CAs will put the serial number and thumbprint in a HEX format with each byte separated by a space. Recently we had an HSM upgrade, no real changes made to our CAs aside from getting them setup with the HSM. Now all new certificates are being issued with serial numbers and thumbprints, still in HEX (I see letters), but no spaces anymore.
Could this be something the HSM is doing (its a Thales device)?
Is there some place in a Microsoft PKI to change the formatting of these numbers?
Should I even care?
I know how an application uses a certificate serial/thumbprint number is specific to that application. Some require you take out the spaces and some don't. But some applications read it directly from the cert store and I wonder if the atypical format would mess them up. Are there any known issues with having the certificates issued in this format?
At the moment we haven't had any reported issues. Smart card AuthN and our SCCM workstation certs seems to be working just fine with the new certs.
I would assume the serial number and thumbprint are stored in some fixed number of bytes in the file and thus this formatting was purely a result of whatever viewer I'm using. At first I thought this may just be something new with the Windows certificate viewer and Windows 10 1809, but older certificates are still displayed with the spaces, so it doesn't appear to be the viewer that changed and I have to assume it is something with the format of the certificate file.
certificates public-key-infrastructure certificate-authority
certificates public-key-infrastructure certificate-authority
asked Dec 13 '18 at 20:49
New GuyNew Guy
1083
1083
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
Dec 13 '18 at 21:09
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
Dec 13 '18 at 21:30
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
Dec 13 '18 at 21:36
add a comment |
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
Dec 13 '18 at 21:09
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
Dec 13 '18 at 21:30
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
Dec 13 '18 at 21:36
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
Dec 13 '18 at 21:09
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
Dec 13 '18 at 21:09
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
Dec 13 '18 at 21:30
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
Dec 13 '18 at 21:30
1
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
Dec 13 '18 at 21:36
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
Dec 13 '18 at 21:36
add a comment |
1 Answer
1
active
oldest
votes
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
Dec 13 '18 at 21:43
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199720%2fcertificate-serial-and-thumbprint-number-spacing%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
Dec 13 '18 at 21:43
add a comment |
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
Dec 13 '18 at 21:43
add a comment |
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
answered Dec 13 '18 at 21:36
Crypt32Crypt32
2,593712
2,593712
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
Dec 13 '18 at 21:43
add a comment |
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
Dec 13 '18 at 21:43
1
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
Dec 13 '18 at 21:43
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
Dec 13 '18 at 21:43
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199720%2fcertificate-serial-and-thumbprint-number-spacing%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
Dec 13 '18 at 21:09
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
Dec 13 '18 at 21:30
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
Dec 13 '18 at 21:36