how do i get the serial numbers of X.509 certs

[ming]

Hi,
i have been running a [private|local] CA which also functions as a reverse proxy.  i issue X.509 client-side certs with this CA for programming API access authentication.  Now i am contemplating the implementation of some simple home-brewed CRL-like revocation mechanism.   Obviously that requires my node.js program to inspect the serial number of the X.509 cert the client presents.   

However, it is not clear to me what the best way is to get the serial number of the X.509 cert presented for the incoming request.   i've been using the following:
   req.connection.getPeerCertificate().subject
to retrieve subjects but i don't know where to find the serial number of a cert.

Thanks.

[Ben Noordhuis]

When you say "serial number", to what specific X.509 field
(distinguished name, OID) are you referring?

[Hseu-Ming Chen]

For the serial number that i was referring to: if you look at the content of one of the client-side certs i issued:

========================================================
%  openssl x509 -in foo.cert -text -noout

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 5 (0x5)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: ....
        Validity
            ...
        Subject: ...
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                   ......
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        a3:c2:31:d3:ea:c9:67:46:1c:5a:59:15:45:51:ef:c8:2d:99:
========================================================

you will find the line:
    Serial Number: 5 (0x5)

Or if you visit:
  https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/7.3/html/Administration_Guide/Administration_Guide-Introduction_to_CRL_Extensions-Sample_CRL_and_CRL_Entry_Extensions.html
you will see the following:

========================================================
Certificate Revocation List:
Data: 
Version:  v2
...
Extensions: 

Identifier: Authority Key Identifier
...
Serial Number: 0x12
...
========================================================

In order to implement a simple CRL on my server (really a [private|local] CA + reverse proxy), i plan to rely on the serial numbers.  However, i can't find any info about retrieving the serial number of an incoming cert.   Or should i simply use the CN as in:
   req.connection.getPeerCertificate().subject.CN
instead since there is one-one-correspondence between CNs and the serial numbers.

A quick question: when the client connects with X.509 certs, is the serial number info available in the entire SSL/TLS handshake process?

Thanks.

--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en

---
You received this message because you are subscribed to a topic in the Google Groups "nodejs" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nodejs/dCnPsMt3wNo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nodejs+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Ben Noordhuis]

Right. Node.js currently doesn't support that but it's reasonably
straightforward to add. If you open an issue, we'll look into it.