[Freeipa-devel] Random Certificate Serial Numbers
Rob Crittenden
rcritten at redhat.com
Tue Apr 8 13:39:36 UTC 2014
Dmitri Pal wrote:
> On 04/07/2014 03:48 AM, Martin Kosek wrote:
>> Hi Rob, Ade and others,
>>
>> In the past, Rob was investigating enabling random certificate serial
>> numbers
>> for FreeIPA PKI [1]. We also have a ticket [2] planned to enable it
>> for 4.0.
>> Can we simply switch it on for PKI with pkispawn attribute:
>>
>> [CA]
>> pki_random_serial_numbers_enable=True
>>
>> or is there any drawback or risk we should investigate. I am just
>> thinking,
>> does PKI handle collisions anyhow? When for example two PKI masters
>> generate 2
>> certificates of the same serial (unlikely though it could happen)?
>>
>> Currently, we assign different slice of serial range to different PKI
>> masters,
>> do we want to do that also for random serial?
>>
>> Thanks for info
>>
>> [1] http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
>> [2] https://fedorahosted.org/freeipa/ticket/2016
>>
> Any impact on upgrades?
It only affects new installs.
> Any impact on certmonger?
I seriously doubt it. The only potential issue is seriously long serial
numbers but that isn't specific to random values.
I had an install using this a year or so ago and I don't recall any
major issues. Unfortunately that system has gone off the deep end so I
no longer have the changes.
rob
More information about the Freeipa-devel
mailing list