[Freeipa-devel] Random Certificate Serial Numbers

Dmitri Pal dpal at redhat.com
Thu Apr 10 16:41:50 UTC 2014

On 04/08/2014 09:55 AM, Ade Lee wrote:
> On Mon, 2014-04-07 at 09:48 +0200, Martin Kosek wrote:
>> Hi Rob, Ade and others,
>> In the past, Rob was investigating enabling random certificate serial numbers
>> for FreeIPA PKI [1].  We also have a ticket [2] planned to enable it for 4.0.
>> Can we simply switch it on for PKI with pkispawn attribute:
>> [CA]
>> pki_random_serial_numbers_enable=True
> Putting in this parameter in pkispawn means changing the method of
> assigning serial numbers for the CA that is being installed (ie. a new
> master)
> Thus this will affect new masters only.  When the CA is cloned, it will
> inherit its method of assigning serial numbers from the master.
> I need to check the code to see what happens if you specify the above
> directive in pkispawn for a clone.
> Are you considering changing the serial number assignment for existing
> masters?

>> or is there any drawback or risk we should investigate. I am just thinking,
>> does PKI handle collisions anyhow? When for example two PKI masters generate 2
>> certificates of the same serial (unlikely though it could happen)?
> Collisions are not supposed to happen.  Range number assignment is
> automatically managed so that different masters are assigned different
> ranges so that collisions cannot happen.
> Collisions can occur if ranges overlap -- ie. if you are
> manually updating ranges and end up using overlapping ranges.
>> Currently, we assign different slice of serial range to different PKI masters,
>> do we want to do that also for random serial?
> Yes.  Range management is done automatically.  Different masters are
> assigned different ranges to prevent collisions.  Random serial numbers
> will be generated within the assigned range.
>> Thanks for info
>> [1] http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
>> [2] https://fedorahosted.org/freeipa/ticket/2016
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-devel mailing list