[Freeipa-devel] Random Certificate Serial Numbers
rcritten at redhat.com
Tue Apr 8 13:39:36 UTC 2014
Dmitri Pal wrote:
> On 04/07/2014 03:48 AM, Martin Kosek wrote:
>> Hi Rob, Ade and others,
>> In the past, Rob was investigating enabling random certificate serial
>> for FreeIPA PKI . We also have a ticket  planned to enable it
>> for 4.0.
>> Can we simply switch it on for PKI with pkispawn attribute:
>> or is there any drawback or risk we should investigate. I am just
>> does PKI handle collisions anyhow? When for example two PKI masters
>> generate 2
>> certificates of the same serial (unlikely though it could happen)?
>> Currently, we assign different slice of serial range to different PKI
>> do we want to do that also for random serial?
>> Thanks for info
>>  http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
>>  https://fedorahosted.org/freeipa/ticket/2016
> Any impact on upgrades?
It only affects new installs.
> Any impact on certmonger?
I seriously doubt it. The only potential issue is seriously long serial
numbers but that isn't specific to random values.
I had an install using this a year or so ago and I don't recall any
major issues. Unfortunately that system has gone off the deep end so I
no longer have the changes.
More information about the Freeipa-devel