[Freeipa-devel] Random Certificate Serial Numbers
dpal at redhat.com
Mon Apr 7 23:53:16 UTC 2014
On 04/07/2014 03:48 AM, Martin Kosek wrote:
> Hi Rob, Ade and others,
> In the past, Rob was investigating enabling random certificate serial numbers
> for FreeIPA PKI . We also have a ticket  planned to enable it for 4.0.
> Can we simply switch it on for PKI with pkispawn attribute:
> or is there any drawback or risk we should investigate. I am just thinking,
> does PKI handle collisions anyhow? When for example two PKI masters generate 2
> certificates of the same serial (unlikely though it could happen)?
> Currently, we assign different slice of serial range to different PKI masters,
> do we want to do that also for random serial?
> Thanks for info
>  http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
>  https://fedorahosted.org/freeipa/ticket/2016
Any impact on upgrades?
Any impact on certmonger?
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-devel