[Freeipa-devel] Random Certificate Serial Numbers

Dmitri Pal dpal at redhat.com
Mon Apr 7 23:53:16 UTC 2014

On 04/07/2014 03:48 AM, Martin Kosek wrote:
> Hi Rob, Ade and others,
> In the past, Rob was investigating enabling random certificate serial numbers
> for FreeIPA PKI [1].  We also have a ticket [2] planned to enable it for 4.0.
> Can we simply switch it on for PKI with pkispawn attribute:
> [CA]
> pki_random_serial_numbers_enable=True
> or is there any drawback or risk we should investigate. I am just thinking,
> does PKI handle collisions anyhow? When for example two PKI masters generate 2
> certificates of the same serial (unlikely though it could happen)?
> Currently, we assign different slice of serial range to different PKI masters,
> do we want to do that also for random serial?
> Thanks for info
> [1] http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
> [2] https://fedorahosted.org/freeipa/ticket/2016
Any impact on upgrades?
Any impact on certmonger?

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-devel mailing list