Currently, generating valid, RFC 5280 conformant, serial numbers is an exercise left up to the user. As of https://go.dev/cl/400377 we enforce the 20 octet length requirement, but it looks like a lot of users don't entirely know how they should go about generating a valid serial number (in particular if people do know about the 20 octet maximum, they are not aware that serials that are 20 octets long cannot have the MSB set.)
Since there are such ambiguities about how to best do this, it would seem prudent to just provide a function which generates serials (or a method on *Certificate) that are conformant with the 5280 rules, i.e.
* func GenerateSerial(rand io.Reader) (*big.Int, error)
* func (*Certificate) GenerateSerial(rand io.Reader) error
Comment From: gopherbot
Change https://go.dev/cl/401657 mentions this issue: crypto/x509: revert serial length restriction
Comment From: rsc
This proposal has been added to the active column of the proposals project and will now be reviewed at the weekly proposal review meetings. — rsc for the proposal review group
Comment From: rsc
This seems fine. Does anyone object to this?
Comment From: rsc
Based on the discussion above, this proposal seems like a likely accept. — rsc for the proposal review group
Comment From: rsc
No change in consensus, so accepted. 🎉 This issue now tracks the work of implementing the proposal. — rsc for the proposal review group
Comment From: martin-sucha
It is not clear if the proposal is to add func GenerateSerial(rand io.Reader) (*big.Int, error) or func (*Certificate) GenerateSerial(rand io.Reader) error or both. Could you please clarify?
Comment From: gopherbot
Change https://go.dev/cl/479120 mentions this issue: crypto/x509: add GenerateSerial
Comment From: rolandshoemaker
Closing this in favor of the proposal in #67675.