Is serial number a unique key for X509 certificate?

Question

Is certificate serial number a unique key for X509 certificate? User selects a certificate, and program stores serial number in preferences. Will the following code return the selected certificate?

public static X509Certificate2 GetCertificateBySerialNumber(string serialNumber)
{
    X509Certificate2 selectedCertificate = null;
    X509Store store = null;
    try
    {
        // get certificate from the store "My", "CurrentUser"
        store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
        X509Certificate2Collection allCertificates = (X509Certificate2Collection)store.Certificates;
        X509Certificate2Collection foundCertificates = (X509Certificate2Collection)allCertificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);

        // select the first certificate in collection
        foreach (X509Certificate2 certificate in foundCertificates)
        {
            selectedCertificate = certificate;
            break;
        }
    }
    finally
    {
        if (store != null)
        {
            store.Close();
        }
    }

    return selectedCertificate;
}

UPDATE: I ended up using certificate thumbprint, as suggested by jglouie.

Answer 1

No. For example, OpenSSL let's the user set this when they create certificates.

See: http://www.openssl.org/docs/apps/x509.html

-set_serial n specifies the serial number to use. This option can be used with either the -signkey or -CA options. If used in conjunction with the -CA option the serial number file (as specified by the -CAserial or -CAcreateserial options) is not used.

The serial number can be decimal or hex (if preceded by 0x). Negative serial numbers can also be specified but their use is not recommended.

Answer 2

As mentioned in another answer, the serial number must be unique within the CA. So serial number alone can't be used as a unique ID of the certificate -- certificates from different CAs can have the same serial number. You need to store combination of Issuer and SerialNumber properties. Also, for self-signed certificates and home-made CA software numbers will most likely collide as many people will start numbering from 0.

Answer 3

TL;DR: You must use a composite key of issuer name + serial number. If you need a simple key, use certificate's thumbprint.

---

Quoting @ThomasPornin from security.stackexchange:

In a certificate, the serial number is chosen by the CA which issued the certificate. It is just written in the certificate. The CA can choose the serial number in any way as it sees fit, not necessarily randomly (and it has to fit in 20 bytes). A CA is supposed to choose unique serial numbers, that is, unique for the CA. You cannot count on a serial number being unique worldwide; in the dream world of X.509, it is the pair issuerDN+serial which is unique worldwide (each CA having its own unique distinguished name, and taking care not to reuse serial numbers).

The thumbprint is a hash value computed over the complete certificate, which includes all its fields, including the signature. That one is unique worldwide, for a given certificate, up to the inherent collision resistance of the used hash function. Microsoft software tends to use SHA-1, for which some theoretical weaknesses are known, but no actual collision has been produced (yet).

From: https://security.stackexchange.com/questions/35691/what-is-the-difference-between-serial-number-and-thumbprint

Answer 4

Yes, according to X.509 specification serial number is unique for specific CA:

4.1.2.2 Serial number

The serial number is an integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).