X.509 Certificate Serial Number Regex for Python

What this pattern does

This page provides a well-structured, multi-part regular expression for matching x.509 certificate serial number, ported and verified for Python. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your Python project — whether you're validating in a Django view, a FastAPI endpoint, or a standalone data processing script.

Python Implementation

# X.509 Certificate Serial Number
# ReDoS-safe | RegexVault — Security > Certificates & PKI

import re

x509_certificate_serial_number_pattern = re.compile(r'^[0-9a-f]{2}(?::[0-9a-f]{2}){7,19}$')

def validate_x509_certificate_serial_number(value: str) -> bool:
    return bool(x509_certificate_serial_number_pattern.fullmatch(value))

# Example
print(validate_x509_certificate_serial_number("01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef"))  # True

Test Cases

When to use this pattern

This pattern is drawn from the Security > Certificates & PKI category and carries a ReDoS-safe certification. That matters for Python developers because particularly important in Python web servers where CPU-bound regex operations can stall concurrent request handling. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Technical Notes

X.509 serial numbers are 1-20 byte (8-160 bit) integers, typically displayed in colon-separated hex pairs. CA/Browser Forum requires serial numbers be at least 64 bits and generated with at least 64 bits of entropy. Used for certificate revocation lookups (CRL, OCSP).