[Freeipa-devel] Random Certificate Serial Numbers
dpal at redhat.com
Thu Apr 10 16:41:50 UTC 2014
On 04/08/2014 09:55 AM, Ade Lee wrote:
> On Mon, 2014-04-07 at 09:48 +0200, Martin Kosek wrote:
>> Hi Rob, Ade and others,
>> In the past, Rob was investigating enabling random certificate serial numbers
>> for FreeIPA PKI . We also have a ticket  planned to enable it for 4.0.
>> Can we simply switch it on for PKI with pkispawn attribute:
> Putting in this parameter in pkispawn means changing the method of
> assigning serial numbers for the CA that is being installed (ie. a new
> Thus this will affect new masters only. When the CA is cloned, it will
> inherit its method of assigning serial numbers from the master.
> I need to check the code to see what happens if you specify the above
> directive in pkispawn for a clone.
> Are you considering changing the serial number assignment for existing
>> or is there any drawback or risk we should investigate. I am just thinking,
>> does PKI handle collisions anyhow? When for example two PKI masters generate 2
>> certificates of the same serial (unlikely though it could happen)?
> Collisions are not supposed to happen. Range number assignment is
> automatically managed so that different masters are assigned different
> ranges so that collisions cannot happen.
> Collisions can occur if ranges overlap -- ie. if you are
> manually updating ranges and end up using overlapping ranges.
>> Currently, we assign different slice of serial range to different PKI masters,
>> do we want to do that also for random serial?
> Yes. Range management is done automatically. Different masters are
> assigned different ranges to prevent collisions. Random serial numbers
> will be generated within the assigned range.
>> Thanks for info
>>  http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
>>  https://fedorahosted.org/freeipa/ticket/2016
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-devel