Certificate serial and thumbprint number spacing
up vote
1
down vote
favorite
We have a Microsoft PKI setup at our organization. As per just about all certificates I've ever seen, new certificates issued by our issuing CAs will put the serial number and thumbprint in a HEX format with each byte separated by a space. Recently we had an HSM upgrade, no real changes made to our CAs aside from getting them setup with the HSM. Now all new certificates are being issued with serial numbers and thumbprints, still in HEX (I see letters), but no spaces anymore.
Could this be something the HSM is doing (its a Thales device)?
Is there some place in a Microsoft PKI to change the formatting of these numbers?
Should I even care?
I know how an application uses a certificate serial/thumbprint number is specific to that application. Some require you take out the spaces and some don't. But some applications read it directly from the cert store and I wonder if the atypical format would mess them up. Are there any known issues with having the certificates issued in this format?
At the moment we haven't had any reported issues. Smart card AuthN and our SCCM workstation certs seems to be working just fine with the new certs.
I would assume the serial number and thumbprint are stored in some fixed number of bytes in the file and thus this formatting was purely a result of whatever viewer I'm using. At first I thought this may just be something new with the Windows certificate viewer and Windows 10 1809, but older certificates are still displayed with the spaces, so it doesn't appear to be the viewer that changed and I have to assume it is something with the format of the certificate file.
certificates public-key-infrastructure certificate-authority
New contributor
add a comment |
up vote
1
down vote
favorite
We have a Microsoft PKI setup at our organization. As per just about all certificates I've ever seen, new certificates issued by our issuing CAs will put the serial number and thumbprint in a HEX format with each byte separated by a space. Recently we had an HSM upgrade, no real changes made to our CAs aside from getting them setup with the HSM. Now all new certificates are being issued with serial numbers and thumbprints, still in HEX (I see letters), but no spaces anymore.
Could this be something the HSM is doing (its a Thales device)?
Is there some place in a Microsoft PKI to change the formatting of these numbers?
Should I even care?
I know how an application uses a certificate serial/thumbprint number is specific to that application. Some require you take out the spaces and some don't. But some applications read it directly from the cert store and I wonder if the atypical format would mess them up. Are there any known issues with having the certificates issued in this format?
At the moment we haven't had any reported issues. Smart card AuthN and our SCCM workstation certs seems to be working just fine with the new certs.
I would assume the serial number and thumbprint are stored in some fixed number of bytes in the file and thus this formatting was purely a result of whatever viewer I'm using. At first I thought this may just be something new with the Windows certificate viewer and Windows 10 1809, but older certificates are still displayed with the spaces, so it doesn't appear to be the viewer that changed and I have to assume it is something with the format of the certificate file.
certificates public-key-infrastructure certificate-authority
New contributor
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
3 hours ago
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
3 hours ago
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
3 hours ago
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
We have a Microsoft PKI setup at our organization. As per just about all certificates I've ever seen, new certificates issued by our issuing CAs will put the serial number and thumbprint in a HEX format with each byte separated by a space. Recently we had an HSM upgrade, no real changes made to our CAs aside from getting them setup with the HSM. Now all new certificates are being issued with serial numbers and thumbprints, still in HEX (I see letters), but no spaces anymore.
Could this be something the HSM is doing (its a Thales device)?
Is there some place in a Microsoft PKI to change the formatting of these numbers?
Should I even care?
I know how an application uses a certificate serial/thumbprint number is specific to that application. Some require you take out the spaces and some don't. But some applications read it directly from the cert store and I wonder if the atypical format would mess them up. Are there any known issues with having the certificates issued in this format?
At the moment we haven't had any reported issues. Smart card AuthN and our SCCM workstation certs seems to be working just fine with the new certs.
I would assume the serial number and thumbprint are stored in some fixed number of bytes in the file and thus this formatting was purely a result of whatever viewer I'm using. At first I thought this may just be something new with the Windows certificate viewer and Windows 10 1809, but older certificates are still displayed with the spaces, so it doesn't appear to be the viewer that changed and I have to assume it is something with the format of the certificate file.
certificates public-key-infrastructure certificate-authority
New contributor
We have a Microsoft PKI setup at our organization. As per just about all certificates I've ever seen, new certificates issued by our issuing CAs will put the serial number and thumbprint in a HEX format with each byte separated by a space. Recently we had an HSM upgrade, no real changes made to our CAs aside from getting them setup with the HSM. Now all new certificates are being issued with serial numbers and thumbprints, still in HEX (I see letters), but no spaces anymore.
Could this be something the HSM is doing (its a Thales device)?
Is there some place in a Microsoft PKI to change the formatting of these numbers?
Should I even care?
I know how an application uses a certificate serial/thumbprint number is specific to that application. Some require you take out the spaces and some don't. But some applications read it directly from the cert store and I wonder if the atypical format would mess them up. Are there any known issues with having the certificates issued in this format?
At the moment we haven't had any reported issues. Smart card AuthN and our SCCM workstation certs seems to be working just fine with the new certs.
I would assume the serial number and thumbprint are stored in some fixed number of bytes in the file and thus this formatting was purely a result of whatever viewer I'm using. At first I thought this may just be something new with the Windows certificate viewer and Windows 10 1809, but older certificates are still displayed with the spaces, so it doesn't appear to be the viewer that changed and I have to assume it is something with the format of the certificate file.
certificates public-key-infrastructure certificate-authority
certificates public-key-infrastructure certificate-authority
New contributor
New contributor
New contributor
asked 3 hours ago
New Guy
1083
1083
New contributor
New contributor
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
3 hours ago
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
3 hours ago
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
3 hours ago
add a comment |
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
3 hours ago
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
3 hours ago
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
3 hours ago
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
3 hours ago
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
3 hours ago
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
3 hours ago
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
3 hours ago
1
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
3 hours ago
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
3 hours ago
add a comment |
1 Answer
1
active
oldest
votes
up vote
5
down vote
accepted
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
3 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
New Guy is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199720%2fcertificate-serial-and-thumbprint-number-spacing%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
accepted
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
3 hours ago
add a comment |
up vote
5
down vote
accepted
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
3 hours ago
add a comment |
up vote
5
down vote
accepted
up vote
5
down vote
accepted
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
It is solely certificate viewer, nothing else. Microsoft time by time tweak/change certificate viewer. Prior to Windows 10, hex values were printed in octets separated by a space, now they removed space. Though, public keys and public key parameters are printed in octets with spaces.
The fact that you see spaces for some certs is related to certificate store. Certificate Viewer uses store-attached properties to fill fields in cert viewer. Since property value wasn't changed, it is shows as it was written (when spaces were used). Unlike certificate contents, certificate properties often use formatted strings instead of byte arrays.
I wouldn't care about this.
answered 3 hours ago
Crypt32
2,323511
2,323511
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
3 hours ago
add a comment |
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
3 hours ago
1
1
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
3 hours ago
Yes indeed that is the issue. I was just about to come back and close this question as I realized I was just mixing up a Windows 10 1607 machine RDP session and a Windows 10 1809 session. Silly me.
– New Guy
3 hours ago
add a comment |
New Guy is a new contributor. Be nice, and check out our Code of Conduct.
New Guy is a new contributor. Be nice, and check out our Code of Conduct.
New Guy is a new contributor. Be nice, and check out our Code of Conduct.
New Guy is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199720%2fcertificate-serial-and-thumbprint-number-spacing%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Interesting. I don't believe the HSM is involved in generating the serial numbers -- only computing the signature.
– Mike Ounsworth
3 hours ago
yes, i would agree with that....in truth i do think this is a cert viewer issue...but since i can still see old certs having spaces it has me a bit baffled
– New Guy
3 hours ago
1
How are you "seeing" those values? The certificates themselves should be in ASN.1, so it the actual bytes would be binary, and HEX just its representation.
– Ángel
3 hours ago