3.2.1.4.2.1.4.6 Generating a Serial Number

The CA SHOULD follow these steps to generate a serial number for a certificate. The CA MAY use an alternative algorithm to generate serial numbers. Note that the following steps do not conform to [RFC3280] section 4.1.2.2.

The following numbers are used in processing rules in this section:

C:  A 4-byte arbitrary integer generated with any pseudo random number generator.

R:  An 8-byte arbitrary integer generated with any pseudo random number generator.

1. If Config_High_Serial_String is not empty, the CA SHOULD<79>:

   1. Generate a serial number as specified in section 3.2.1.4.2.1.4.6.3.

   2. Continue with step 5.

2. If Config_High_Serial_Number equals 0xFFFFFFFF, the CA SHOULD<80>:

   1. Generate a serial number as specified in section 3.2.1.4.2.1.4.6.4.

   2. Generate a serial number as specified in section 3.2.1.4.2.1.4.6.3.

   3. Continue with step 5.

3. If Config_High_Serial_Number is not zero, the CA MUST:

   1. Generate a serial number as specified in section 3.2.1.4.2.1.4.6.2.

   2. Continue with step 5.

4. The CA MUST generate a serial number as specified in section 3.2.1.4.2.1.4.6.1.

5. Zero the high bit of the high byte of the serial number generated in the preceding steps.

6. If the high byte is zero, set it to 0x61. Otherwise, if the high nibble of the high byte is zero XOR the high byte with 0x10.