diff --git a/changes/bug4584 b/changes/bug4584
new file mode 100644
index 0000000000..38cf2d6da6
--- /dev/null
+++ b/changes/bug4584
@@ -0,0 +1,4 @@
+  o Privacy/anonymity features (bridge detection):
+    - Make bridge SSL certificates a bit more stealthy by using random
+      serial numbers, in the same fashion as OpenSSL when generating
+      self-signed certificates. Implements ticket 4584.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index e052c85eb2..9ac5c34f26 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -585,7 +585,11 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
                            const char *cname_sign,
                            unsigned int cert_lifetime)
 {
+#define SERIAL_NUMBER_SIZE 8
+
   time_t start_time, end_time;
+  BIGNUM *serial_number = NULL;
+  unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
   EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
   X509 *x509 = NULL;
   X509_NAME *name = NULL, *name_issuer=NULL;
@@ -606,8 +610,15 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
     goto error;
   if (!(X509_set_version(x509, 2)))
     goto error;
-  if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time)))
+
+  { /* our serial number is 8 random bytes. */
+  if (crypto_rand((char *)serial_tmp, sizeof(serial_tmp)) < 0)
     goto error;
+  if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
+    goto error;
+  if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
+    goto error;
+  }
 
   if (!(name = tor_x509_name_new(cname)))
     goto error;
@@ -640,11 +651,15 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
     EVP_PKEY_free(sign_pkey);
   if (pkey)
     EVP_PKEY_free(pkey);
+  if (serial_number)
+    BN_free(serial_number);
   if (name)
     X509_NAME_free(name);
   if (name_issuer)
     X509_NAME_free(name_issuer);
   return x509;
+
+#undef SERIAL_NUMBER_SIZE
 }
 
 /** List of ciphers that servers should select from.*/