[Freeipa-devel] Random Certificate Serial Numbers

Rob Crittenden rcritten at redhat.com
Tue Apr 8 13:39:36 UTC 2014

Dmitri Pal wrote:
> On 04/07/2014 03:48 AM, Martin Kosek wrote:
>> Hi Rob, Ade and others,
>> In the past, Rob was investigating enabling random certificate serial
>> numbers
>> for FreeIPA PKI [1].  We also have a ticket [2] planned to enable it
>> for 4.0.
>> Can we simply switch it on for PKI with pkispawn attribute:
>> [CA]
>> pki_random_serial_numbers_enable=True
>> or is there any drawback or risk we should investigate. I am just
>> thinking,
>> does PKI handle collisions anyhow? When for example two PKI masters
>> generate 2
>> certificates of the same serial (unlikely though it could happen)?
>> Currently, we assign different slice of serial range to different PKI
>> masters,
>> do we want to do that also for random serial?
>> Thanks for info
>> [1] http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
>> [2] https://fedorahosted.org/freeipa/ticket/2016
> Any impact on upgrades?

It only affects new installs.

> Any impact on certmonger?

I seriously doubt it. The only potential issue is seriously long serial 
numbers but that isn't specific to random values.

I had an install using this a year or so ago and I don't recall any 
major issues. Unfortunately that system has gone off the deep end so I 
no longer have the changes.


More information about the Freeipa-devel mailing list