[Freeipa-users] how to overcome same serial number in cert issue on different master servers?
Les Stott
Less at imagine-sw.com
Tue Nov 11 02:11:55 UTC 2014
> -----Original Message-----
> From: Fraser Tweedale [mailto:ftweedal at redhat.com]
> Sent: Tuesday, 11 November 2014 12:51 PM
> To: Les Stott
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] how to overcome same serial number in cert
> issue on different master servers?
>
> On Tue, Nov 11, 2014 at 01:40:50AM +0000, Les Stott wrote:
> > Hi,
> >
> > I have a standard rhel6 deployment for FreeIPA in two environments.
> >
> > One environment is in our Production Data Center, The Other in our DR
> Data Center.
> >
> > Both environments are setup with the same domain (mydomain.com) for
> FreeIPA. This is to support dr/failover etc.
> >
> > In each environment, there is a master. In Prod its serverA.mydomain.com,
> In DR its serverB.mydomain.com.
> >
> > The master in each environment gets a generated certificate by IPA. This
> certificate shows a Serial Number of "0A"
> >
> > My problem is that because the certificates have the same Organization,
> OU and Serial Number, I can only browse to one of them (using Firefox).
> >
> > If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the
> certificate it works fine.
> > If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it comes
> up with the following error:
> >
> > "Your certificate contains the same serial number as another certificate
> issued by the certificate authority. Please get a new certificate containing a
> unique serial number. (Error code: sec_error_reused_issuer_and_serial)"
> >
> > If I remove the stored browser certificate for serverA, then browse to
> serverB, and accept the certificate, it works, but then the "same serial
> number" error pops up for browsing serverA.
> >
> > Note: both environments were built separately and are not linked in
> anyway (no replication between prod/dr).
> >
> > Is there a way to generate unique serial numbers for the masters?
> >
> > Thanks in advance,
> >
> > Les
> >
> >
> >
> Hi Les,
>
> Ideally, you should prevent this situation by using different common names
> (CN) for your CAs and server certifications across the different
> environments. If this is not possible, you can configure the Dogtag CA to use
> random serial numbers:
>
> http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U
> se_Random_Certificate_Serial_Numbers
>
> This does not guarantee that you will not get serial number collisions, but
> reduces the likelihood.
>
Thanks for the quick reply.
In this case the common name is different between both environments. In prod the master was serverA, in DR the master was serverB. It just happened that way. So having a different CommonName doesn't help.
I'll look into the dogtag random certificate serial number generation.
Does anyone know of a correct way to re-issue the cert's for each master with a random serial number?
Thanks,
Les
More information about the Freeipa-users
mailing list