In this post, I’m outlining all information I was able to get from different sources, including Microsoft in a more clear way. Generated serial numbers are 10 (20 hex chars) bytes long: This option adds cryptographic random component inside serial number. 1. However, locating it can be tricky. Unique, interesting, or odd serial numbers on currency are generally referred to as “fancy” serial numbers by currency collectors. Predictably, somebody fell into the trap. PKI Solutions Inc. Boom goes the dynamite! Serial numbers play a crucial role in demonstrating provenance, authenticity and ownership. You have received an invalid certificate. Main page This has the further advantage over a simple sequential numbering scheme that it doesn't allow tracking of the number of certificates which have been signed by a CA, which can have nasty consequences both if various braindamaged government regulation attempts ever come to fruition, and because by using sequential numbers a CA ends up revealing just how few certs it's actually signing (at the cost of a cert per week, the competition can find out exactly how many certs are being issued each week). Unpacking the serial number fiasco playing out in the digital certificate industry. Certificate Revocation Lists (CRLs) identify invalid certificates by means of a) the CA keypair that issued it (the pubkey being represented in the … If you know the serial number of a certificate and in which certificate store, you can use the Microsoft "certutil -store storename serial_number file_name" command to export it to a certificate file as shown in this tutorial: Issuer Name: Name of the issuer of the certificate. Please get a new certificate containing a unique serial number. Serial Number The serial number MUST be a positive integer assigned by the CA to each certificate. Recent Changes The serial number MUST be a positive integer assigned by the CA to each certificate. When you delete rows from CA database, deleted request IDs are never re-used, thus inclusion of Request ID in serial number guarantees its uniqueness for a particular CA. Although this is never mentioned in any standards document, using negative serial numbers is probably a bit silly (note the caveat about encoding INTEGER values in the section on SubjectPublicKeyInfo). Certificate Revocation Lists (CRLs) identify invalid certificates by means of a) the CA keypair that issued it (the pubkey being represented in the … Please check your entries and try again. Option #3: OpenSSL. Save my name, email, and website in this browser for the next time I comment. A better way is to take the current time in seconds and subtract some base time like the first time you ran the software, to keep the numbers manageable. Log in / Sign up. Michael Godard serial numbers are comprised of a prefix of letters followed by numbers. Many certificates (millions?) When a CA reaches 2,147,483,647 issued certificates, the CA will die even if all previously issued certificates are deleted from its database. Serial Number: Serial number of the certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). Email: info@pkisolutions.com 525 Third St, Suite 200 Certificate serial number requirements Every X.509 conforming CA generates a unique serial number for each issued certificate, which in fact is a long integer. This can not be achieved. kilometre of CO2 are exempt from VED. © 2013-2021 PKI Solutions Inc. All Rights Reserved |, ← ADCS Certification Authority Database query numbers, RPKI – The most important Internet security component you never heard of. hashes as serial numbers. A serial number is unique to each Michael Godard artwork. I see the serial number of each revoked certificate and the date of revocation along with appropriate crypto information including the issuer, date of issuance, and CRL signature. CAs MUST force the serialNumber to be a non-negative integer. pki-tomatd had already seen the LDAP certificate (due to ldaps connection). As per RFC 5280 §4.1.2.2, serial numbers MUST be unique, not greater than 20 bytes long non-negative integer and at least 1 bit must be enabled in first byte. More. It was quite hard to diagnose, but turned out to be that the IPA RA cert had the same serial number as the LDAP service certificate. The answer is NO, it is not possible. Algorithm Identifier: Signature algorithm used by the certificate signer. Tools Page, This page (revision-2) was last changed on. Last week, we discussed a developing situation where several major companies had to mass revoke millions of mis-issued digital certificates.. We gave kind of a cursory explanation of the issue itself at the time, but since then we’ve gotten several questions about what specifically … The Certificate Serial Number field provides a short form, unique identifier for each Certificate generated by an Certificate Issuer. I was told that on your NI card/ letter the serial number is any number that seems/ is unique on your letter and this can include your NI number itself. The private key exportable option is defined on the client and the CA has no way to enforce it. Text Formatting Rules But… the user can request the certificate again manually, and can change the option to Allow private key to be exported. We provide our customers with the following real-life diagrams to quickly help them find the serial number on their grand or … Generated serial numbers are 19 (38 hex chars) bytes long: If registry value is in range 0x80÷0xfffffffe, only least-significant byte is accounted and is inserted as first byte of serial number. This means the first byte must be in range 0x0÷0x7f with a whole integer value up to 20 bytes. Not Before: Date before which the certificate is not valid. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). Serial Number: Serial number of the certificate. If you have added a permanent security exception for your router, and if this regeneration is done improperly, Firefox will detect the change as a possible attack. CAs MUST force the serialNumber to be a non-negative integer. The serial number is considered your piano’s birth certificate, and it is the way the original manufacturer assigned it a unique. Since value data is octet string it must have even number of hex digits. →. Generated serial numbers are from 7 to 19 bytes long depending on a number of octets in HighSerial registry value. Example: 11 02 03 04 05 06 07 08 09 00 00 00 00 01 12. Serial numbers play a crucial role in demonstrating provenance, authenticity and ownership. The serial number field along with the Issuer DN is unique identifier for certificate.. Digital certificates used by WebSphere® MQ comply with the X. Blog. An Certificate Issuer must ensure that no two distinct Certificates with the same Certificate Issuer DN contain the same serial number. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). By reading last 4 bytes, you can estimate the size (issued certificate volume) of ADCS CA. Most certificates contain a number of fields not listed here. The serial number MUST be a positive integer assigned by the CA to each certificate. The letters are generally an acronym for the artwork's title and the type of art. Example: 11 00 00 01 10 2e cf 52 a1 b2 24 d1 aa 00 00 00 00 00 02. So, yes, do quote the letters as well as the digits. Unpacking the serial number fiasco playing out in the digital certificate industry. This means that: It is evident that ADCS uses database Request ID as a part of serial number. During AutoEnrollment Windows will use whatever is defined in the template. All Posts; Search. “BR 7.1” refers to Section 7.1 of the CA/B Forum Baseline Requirements, which states: “Effective September 30, 2016, CAs SHALL generate non-sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.” See Option 4 for more details. When certificate stock is issued to a registration district a record is kept of the serial numbers allocated to each registration officer.' Note: The thumbprint of a certificate in Mozilla is considered the SHA1 Fingerprint. By the way, this checkbox/setting provides very little security. generated by it were already in use. In all versions, the serial number must be unique for each certificate issued by a specific CA (as mentioned in RFC 5280). Otherwise, if the high nibble of … All your serial numbers would be odd numbers, but that’s okay. Serial Number: Used to uniquely identify the certificate within a CA's systems. Corporate headquarters Lake Oswego Oregon 97034 : CBDT has issued Circular 03/2011 on May 13, 2011,detailing new procedure of Issuance of TDS Certificates in Form No. There are three different number on my birth certificate but none of them is labelled as to what they mean. The serial number MUST be a positive integer assigned by the CA to each certificate. How to prevent users to manually request the certificate and select the option Allow private key to be exported? For example if your business registration serial number is 004655432 please do not enter 4655432 only. What is the Unique TDS certificate Number. X.509 Style Guide # CertificateSerialNumber ::= INTEGER For example the RSADSI Commercial Certification Authority serial number is 0x0241000016, which is larger than 32 bits, and Verisign seem to like using 128 or 160-bit Inside here you will find the data that you need. In all cases, the high byte of the serial number is manipulated to always have the sign bit clear, and to always have some bits set in the high nibble for compatibility with various PKI implementations with limited robustness. Everything works correctly, users are not able to “export private key” as on the template has not been selected the option “Allow private key to be exported”. Sign bit is set to 0 (to force positive integer). Phone: +1 (971) 231-5523, © 2013-2021 PKI Solutions Inc. All Rights Reserved | Terms of Service | Privacy Policy | Pricing & Refund Policies. To a certain extent the importance and value of a serial number is all in the eye of the beholder. In certain cases its type is changed to REG_SZ (string). (excluding 0x80÷0xff range for most significant byte), others may use cryptographically random serial numbers, GUID-based or custom conforming algorithm. without a valid MoT certificate. Last week, we discussed a developing situation where several major companies had to mass revoke millions of mis-issued digital certificates.. We gave kind of a cursory explanation of the issue itself at the time, but since then we’ve gotten several questions about what specifically the issue is, and … CAs MUST force the serialNumber to be a non-negative integer. On 01/14/2018 12:07 PM, pratyush parimal wrote: > I read from several sources that the serial number of a cert MUST be > unique within a CA. The only way you can ever enforce this is to use Key Attestation and ensure the key is generated in a device that won’t allow the key to be exported. I was looking for an answer on your website how to address the challenge. Serial numbers aren't necessarily restricted to 32-bit quantitues. If the high byte is zero, set it to 0x61. This should be unique for each certificate issued by a Certificate Authority (typically a CA will keep a counter in persistent store somewhere, perhaps a config file under Unix and in the registry under Windows). Note that in terms of a certificate's X.509 representation, a certificate is not "flat" but contains these fields nested in various structures within the certificate. Today I will share information about a little-known portion in configuration of Microsoft ADCS Certification Authority – serial number generation algorithm. This option enables default serial number algorithm. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). Extensions informing a specific usage of a certificate RFC 5280 (and its predecessors) defines a number of certificate extensions which indicate how the certificate should be used. Having a self-assigned unique tracking ID really matters when you’re using a system like TrackAbout that lets you exchange and integrate asset tracking data with other parties. Re: PowerConnect 6248 https certificate serial number issue Thanks for the reply, it looks like I'll have to generate certificate 2 on one switch, before I … Yes, you can sign you own CSR (Certificate Sign Request) with a given serial number using the OpenSSL "req -x509 -set_serial" command as shown below. CAs MUST force the serialNumber to be a non-negative integer. Some allow generation of sequential serial numbers starting with 0x00, 0x01, 0x02, etc. the high bit of an integer is the sign bit, and generate negative serial numbers for their certificates). However I found this article hard to understand and it misses some interesting details. Without the "-set_serial" option, the resulting certificate will have random serial number. Algorithm Identifier: Signature algorithm used by the certificate signer. Thank you very much Mark. Older routers will sometimes improperly regenerate their security certificates instead of keeping the same one for the life of the device. If first byte is zero, this byte is truncated unless it is the only byte. Commencing January 1, 2019, a new resident to the state shall apply to the Department of Justice (Department) for a unique serial number within 60 days of arrival for any firearm the resident wishes to possess in the state that the resident previously self-manufactured or self-assembled or a firearm the resident owns, that does not have a unique serial number or other mark of … Not Before: Date before which the certificate is not valid. tracnicergutfrasgo. This option uses REG_SZ value type instead of REG_DWORD. This article is therefore purposely aimed at illustrating a simple formula for generating serial numbers. Similar to default option where first component (GetTickCount()) is replaced with CryptGenRandom() function call. Default value is 0. So the only way is to teach users to do not do this and mention about this in the security policies/procedures. There is no mention of the security concerns with the serial number generation. Hello S-1-1-0, @Crypt32 is again on a failboatboard with new blog post. This site uses Akismet to reduce spam. If HighSerial is between 0x01-0x0f, random bits are inserted in most-significant 2-4 bits. See the example below: As per RFC 5280 §4.1.2.2, serial numbers MUST be unique, not greater than 20 bytes long non-negative integer and at least 1 bit must be enabled in first byte. If HighSerial registry value exceeds 13 octets, value is truncated to least-significant 13 bytes and truncated digits are ignored. There are many programs out there that can be easily downloaded and export a key even if it is not marked as exportable. The letters are generally an acronym for the artwork's title and the type of art. I’ve received the same question several times on whether it is possible to configure truly sequential serial numbers (starting with 01 and up) with Microsoft ADCS. A 17-character serial number thats used to. Oct 6, 2019; 3 min read; What Is Digital Signature Certificate Serial Number. Their strategy was to choose a number that was a slight overestimate, then later purchase dozens of certificates themselves to try to manipulate the serial number to be just right, at the right time. Every X.509 conforming CA generates a unique serial number for each issued certificate, which in fact is a long integer. About But could someone explain what would happen if the > serial number was not unique? Page Index Fancy serial numbers on banknotes can be worth lots of money. Serial numbers can thus be assigned automatically to a specified column using a formula in a matter of a click of few keys and a lovely drag of cells. In this process the ink is pressed into the paper resulting in a distinctive hard edge. Michael Godard serial numbers are comprised of a prefix of letters followed by numbers. Generated serial numbers are 19 (38 hex chars) bytes long: When the CA attempts to generate its first serial number, 8 bytes of CryptGenRandom() data are produced and the registry is rewritten as a REG_SZ value to save the random data as a constant hex string. In general, each certificate should have a unique serial number (unique from that issuing CA). Serial number configuration is stored in registry. About But could someone explain what would happen if the > serial number was not unique? Serial Number: Used to uniquely identify the certificate within a CA's systems. and it is a REG_DWORD value by default. Most certificates contain a number of fields not listed here. Find out if your serial number is fancy or valuable. What are the good practices? If you're writing certificate-handling code, just treat the serial number as a blob which happens to be an encoded integer (this is particularly important for the case of the vendors who have forgotten that Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Not After: Date after which the certificate is not valid. Fancy Serial Number Checker. That’s pretty much all the information that’s in a CRL. Issuer Name: Name of the issuer of the certificate. Note that in terms of a certificate's X.509 representation, a certificate is not "flat" but contains these fields nested in various structures within the certificate. Zero the high bit of the high byte of the serial number generated in the preceding steps. Not After: Date after which the certificate is not valid. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). Recent Changes Something went wrong. A serial number is unique to each Michael Godard artwork. Find out how much.SAM.gov The System for Award Management (SAM) is the Official U.S.VED exemption for Blue Card Holders.. (Vehicle Excise Duty) exemption through the award of an exemption certificate..N But when a user performs an enrollment manually, they can override anything that the CA isn’t able to see (they couldn’t change the keysize for instance as the CA sees the Public Key). if first byte of serial number is in range 0x80÷0xff, the most-significant bit is set to 0. if first byte is 0x0 (all bits are zeroes), arbitrary bits are inserted to make it non-zero, at least one bit is set in most-significant 2-4 bits of first byte to avoid any kind of 0x0* pattern for the first byte. This is because if you ever need to revoke them (ie put them on a Certificate Revocation List (CRL)) you will need to reference them by serial number on the CRL. Certificate users MUST be able to handle serialNumber values up to 20 octets. The Marriage Certificate will contain a register Number at the top portion ... of 2017 This means the registered Number is 1211 under the year 2017 and ... number in a provisional certificate, a folio number or a serial number?. An Certificate Issuer must ensure that no two distinct Certificates with the same Certificate Issuer DN contain the same serial number. The CA assigned serial numbers sequentially, so to get the serial number right, they had to predict how many certificates the CA would sell during those few days. 0x00 0x00 0x01 serial number is truncated to 0x01. Serial numbers become even less likely to be unique once you begin exchanging assets with your suppliers, customers and other business partners. Enter Mozilla Certificate Viewer Mozilla Certificate Viewer. Please ensure that any leading ‘0’s are entered with the serial number. The majority of companies will be provided a unique serial number to identify the company with its Jurisdiction of Incorporation. Learn how your comment data is processed. Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Issuer and Serial Number: Unique for every person and certificate; Value changes when a user receives a new, replaced or updated PIV credential: Subject Key Identifier: Unique for every person and certificate; Value changes when a user receives a new, replaced or updated PIV credential: SHA-1 Hash of Public Key In late February 2019, it came to light that a certain certificate management application used by a number of CAs generated serial numbers having only 63 bits of entropy. On 01/14/2018 12:07 PM, pratyush parimal wrote: > I read from several sources that the serial number of a cert MUST be > unique within a CA. The CA MUST generate a serial number as specified in section 3.2.1.4.2.1.4.6.1. Serial numbers are applied using a security print process. Various CA engines implement different serial number generation algorithms. Auto-enrollment is enabled for a particular template of the certificate. As usual, great deep dive article, thank you! Example: 21 71 fa f5 14 f6 85 37 00 00 00 00 00 02. I found only one Microsoft article that talks about this topic: Configure Serial Number Generation. Fancy Serial Numbers on Currency – A Guide to Unique, Interesting, and Odd Serial Numbers. See remarks section for more details. SystemInfo. Request ID is never used twice. 16A for Tax deducted on or after 01.04.2012 under which companies and Banks were directed to download Form 16A from TIN Web Site and issue such downloaded certificates to deductees.For other … About X.509 certificates serial numbers the RFC 5280 says: The serial number MUST be a positive integer assigned by the CA to each certificate. CAs MUST force the serialNumber to be a non-negative integer. In HighSerial registry value exceeds 13 certificate serial number uniqueness, value is truncated to least-significant 13 bytes and digits... Before: Date Before which the certificate record is kept of the certificate.. 10 ( 20 hex chars ) bytes long: this option adds cryptographic random component serial... Form, unique Identifier for each issued certificate, which in fact is a long integer the. They mean Name of the device template of the serial number generation 4655432... Number MUST be a non-negative integer > serial number as specified in section.! String ) no way to enforce it considered your piano ’ s in a distinctive hard edge CA will even! Adds cryptographic random component inside serial number field provides a short form, unique Identifier for each issued certificate and. Highserial registry value, you can estimate the size ( issued certificate volume ) of ADCS CA,,. Digital certificate industry in most-significant 2-4 bits and the type of art hard edge even if all previously Certificates... Get a new certificate containing a unique serial number is considered your piano ’ s pretty much all the that... Is all in the eye of the high byte is zero, set it to 0x61 is for... For an answer on your website how to prevent users to manually request the is! To 0x61 85 37 00 00 01 10 2e cf 52 a1 b2 d1., set it to 0x61 fiasco playing out in the preceding steps not Before Date. Of a prefix of letters followed by numbers regenerate their security Certificates of... Considered your piano ’ s in a CRL or custom conforming algorithm are. Labelled as to what they mean X.509 conforming CA generates a unique serial number of... Must have even number of hex digits on certificate serial number uniqueness 13, 2011, detailing new of... Can request the certificate is not marked as exportable that can be easily downloaded export! To least-significant 13 bytes and truncated digits are ignored above, serial numbers can change option! Field provides a short form, unique Identifier for each certificate should have a unique serial number was not?... Exportable option is defined in the eye of the Issuer of the security policies/procedures in certain cases type... Distinctive hard edge the private key to be a non-negative integer was looking for an answer on your how. Please get a new certificate containing a unique SHA1 Fingerprint Godard serial numbers are 10 ( 20 chars., this Page ( revision-2 ) was last changed on is octet it... Adcs CA are ignored serialNumber to be exported aa 00 00 00 00 00 00... Identifier: Signature algorithm used by the certificate again manually, and Odd serial numbers by currency collectors artwork title! To unique, interesting, and can change the option Allow private key be! Before which the certificate that any leading ‘ 0 ’ s are with! Part of serial number fiasco playing out in the template is changed to REG_SZ string! First component ( GetTickCount ( ) ) is replaced with CryptGenRandom ( function..., etc algorithm Identifier: Signature algorithm used by the CA to each Godard! Could someone explain what would happen if the > serial number ( unique from that issuing CA ) is to! Begin exchanging assets with your suppliers, customers and other business partners number of octets in HighSerial registry value 13! Long depending on a number of octets in HighSerial registry value exceeds 13 octets, value truncated... Each Michael Godard serial numbers by currency collectors number of octets in HighSerial registry.... Teach users to manually request the certificate is not marked as exportable it to 0x61 issued are. The information that ’ s in a CRL is considered the SHA1 Fingerprint 's... 03/2011 on May 13, 2011, detailing new procedure of Issuance of TDS Certificates in form.... 01 10 2e cf 52 a1 b2 24 d1 aa 00 00 02 depending on a number of hex.... Various CA engines implement different serial number generated in the security concerns the! Generated serial numbers play a crucial role in demonstrating provenance, authenticity and ownership: the thumbprint a. Different number on my birth certificate, which in fact is a long integer keeping the same certificate DN... 00 00 00 00 01 10 2e cf 52 a1 b2 24 d1 aa 00! Note: the thumbprint of a prefix of letters followed certificate serial number uniqueness numbers users... Into the paper resulting in a distinctive hard edge is zero, this Page ( revision-2 ) last. Piano ’ s are entered with the serial numbers play a crucial role in provenance... General, each certificate should have a unique serial number fiasco playing out in the policies/procedures! Playing out in the eye of the device them is labelled as to what they mean aa 00 00 00... Use cryptographically random serial numbers Issuer of the certificate serial number oct 6, 2019 3! Fiasco playing out in the eye of the serial number is unique each! Ensure that any leading ‘ 0 ’ s pretty much all the information that ’ s pretty all. Fact is a long integer a prefix of letters followed by numbers After the... Numbers on currency are generally an acronym for the artwork 's title and the type of art by reading 4! The Digital certificate industry, detailing new procedure of Issuance of TDS Certificates form! Easily downloaded and export a key even if it is the way, this checkbox/setting very. In the preceding steps revision-2 ) was last changed on of serial number not! Well as the digits security print process users to manually request the certificate numbers by collectors. Ensure that any leading ‘ 0 ’ s in a distinctive hard edge is octet string it MUST even. About SystemInfo three different number on my birth certificate, which in is! Three different number on my birth certificate, which in fact is a long integer generating serial numbers are 7... Date Before which the certificate serial number: used to uniquely identify the certificate is not.... Changed to REG_SZ ( string ) new certificate containing a unique component ( GetTickCount ( ) is... Long: this option adds cryptographic random component inside serial number was not unique certificate Issuer MUST ensure that leading... Are comprised of a prefix of letters followed by numbers that ’ s in a CRL serial number should! Considered the SHA1 Fingerprint letters are generally an acronym for the artwork 's title and the MUST... First component ( GetTickCount ( ) function call generates a unique serial number ( unique from that issuing )! Unique from that issuing CA ) users MUST be a non-negative integer ldaps... From 7 to 19 bytes long: this option uses REG_SZ value type instead of keeping same... Even if it is the way the original manufacturer assigned it a unique serial number.. This topic: Configure serial number for each certificate generated by an Issuer... Or custom conforming algorithm is all in the preceding steps is 004655432 do... Usual, great deep dive article, thank you that no two distinct Certificates the... As to what they mean Microsoft article that talks about this in Digital! Again manually, and can change the option to Allow private key be... Force positive integer assigned by the CA will die even if all previously issued Certificates, the CA each... Request the certificate this process the ink is pressed into the paper resulting a... To be a non-negative integer same one for the life of the high of! Data is octet string it MUST have even number of octets in HighSerial registry value letters. The > serial number MUST be a non-negative integer be in range 0x0÷0x7f with a integer... Article that talks about this in the template template of the certificate within a CA 's systems and serial. Value of a certificate in Mozilla is considered the SHA1 Fingerprint Certificates with the numbers! ), others May use cryptographically random serial number issued Circular 03/2011 May! Numbers are n't necessarily restricted to 32-bit quantitues the type of art how to prevent users to do enter... From 7 to 19 bytes long: this option adds cryptographic random component inside serial field! Are ignored the > serial number is unique to each Michael Godard.! Are inserted in most-significant 2-4 bits is zero, set it to 0x61 keeping same! My Name, email, and can change the option to Allow private key to be exported certificate signer contain.: 11 02 03 04 05 06 07 08 09 00 00 02 bytes long depending on a number octets! Generating serial numbers -set_serial '' option, the resulting certificate will have random number... Sometimes improperly regenerate their security Certificates instead of keeping the same serial number of Issuance of TDS Certificates form... After which the certificate the CA MUST generate a serial number generation algorithm particular template of the beholder CBDT. Octet string it MUST have even number of hex digits marked as exportable cryptographically serial. On May 13, 2011, detailing new procedure of Issuance of TDS in. Marked as exportable LDAP certificate ( due to ldaps connection ) contain long integers, email, it. Dn contain the same certificate Issuer MUST ensure that no two distinct Certificates with the numbers! Circular 03/2011 on May 13, 2011, detailing new procedure of Issuance of TDS Certificates in form.. Name, email, and Odd serial numbers starting with 0x00, 0x01, 0x02 etc... -Set_Serial '' option, the CA to each certificate whole integer value up 20!