Site certificate serial number changed after imported to Java keystore using keytool

Question

I am configuring a java client so it can connected to a https service. The service is in an experimental env so no signed certificate is provided, and I need to manaully import it to the java keystore to make it work.

In the browser, I checked the certificate and the serial number is something like:

‎ca d0 fa e6 4d c2 2b 16 60 88 51 fb e4 e3 2a 1f

And I downloaded this certificate and imported to keystore, but if I check the serial number again, using keytool utility with the command:

keytool -list -v -keystore cacerts

The serial number changed to :

-352f0519b23dd4e99f77ae041b1cd5e1

However, the MD5 and teh SHA1/ fingerprints are identical, so why the serial number is changed? And I am not able to connect to the server possibly due to this mismatch?

I am referencing this link for issue triage: http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html

Answer 1

This is just a misrepresentation of an unsigned integer as an signed integer. The serial numbers itself are the same. You might see this better if you write the positive part as binary

11001010110100001111101011100110010011011100001000101011000101100110000010001000010100011111101111100100111000110010101000011111
00110101001011110000010100011001101100100011110111010100111010011001111101110111101011100000010000011011000111001101010111100001

The second line (0x352f0519b23dd4e99f77ae041b1cd5e1) is the Two's complement of the original serial number SN=0xcad0fae64dc22b16608851fbe4e32a1f, that is all bits flipped and 1 added. Thus Java shows in effect the same number, but as a signed value (SN == -(-SN))