[Freeipa-devel] Random Certificate Serial Numbers
Dmitri Pal
dpal at redhat.com
Mon Apr 7 23:53:16 UTC 2014
On 04/07/2014 03:48 AM, Martin Kosek wrote:
> Hi Rob, Ade and others,
>
> In the past, Rob was investigating enabling random certificate serial numbers
> for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it for 4.0.
> Can we simply switch it on for PKI with pkispawn attribute:
>
> [CA]
> pki_random_serial_numbers_enable=True
>
> or is there any drawback or risk we should investigate. I am just thinking,
> does PKI handle collisions anyhow? When for example two PKI masters generate 2
> certificates of the same serial (unlikely though it could happen)?
>
> Currently, we assign different slice of serial range to different PKI masters,
> do we want to do that also for random serial?
>
> Thanks for info
>
> [1] http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
> [2] https://fedorahosted.org/freeipa/ticket/2016
>
Any impact on upgrades?
Any impact on certmonger?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-devel
mailing list