keytool -gencert currently uses java.util.Random to generate unique serial numbers for certificates. A more uniquely secure mechanism using java.security.SecureRandom is desirable, even though keytool -gencert is generally only used for generating test certificates.