[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] Random Certificate Serial Numbers

On 04/07/2014 03:48 AM, Martin Kosek wrote:
Hi Rob, Ade and others,

In the past, Rob was investigating enabling random certificate serial numbers
for FreeIPA PKI [1].  We also have a ticket [2] planned to enable it for 4.0.
Can we simply switch it on for PKI with pkispawn attribute:


or is there any drawback or risk we should investigate. I am just thinking,
does PKI handle collisions anyhow? When for example two PKI masters generate 2
certificates of the same serial (unlikely though it could happen)?

Currently, we assign different slice of serial range to different PKI masters,
do we want to do that also for random serial?

Thanks for info

[1] http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
[2] https://fedorahosted.org/freeipa/ticket/2016

Any impact on upgrades?
Any impact on certmonger?

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]