[Freeipa-users] how to overcome same serial number in cert issue on different master servers?
Fraser Tweedale
ftweedal at redhat.com
Tue Nov 11 02:59:15 UTC 2014
On Tue, Nov 11, 2014 at 02:11:55AM +0000, Les Stott wrote:
> > -----Original Message-----
> > From: Fraser Tweedale [mailto:ftweedal at redhat.com]
> > Sent: Tuesday, 11 November 2014 12:51 PM
> > To: Les Stott
> > Cc: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] how to overcome same serial number in cert
> > issue on different master servers?
> >
> > On Tue, Nov 11, 2014 at 01:40:50AM +0000, Les Stott wrote:
> > > Hi,
> > >
> > > I have a standard rhel6 deployment for FreeIPA in two environments.
> > >
> > > One environment is in our Production Data Center, The Other in our DR
> > Data Center.
> > >
> > > Both environments are setup with the same domain (mydomain.com) for
> > FreeIPA. This is to support dr/failover etc.
> > >
> > > In each environment, there is a master. In Prod its serverA.mydomain.com,
> > In DR its serverB.mydomain.com.
> > >
> > > The master in each environment gets a generated certificate by IPA. This
> > certificate shows a Serial Number of "0A"
> > >
> > > My problem is that because the certificates have the same Organization,
> > OU and Serial Number, I can only browse to one of them (using Firefox).
> > >
> > > If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the
> > certificate it works fine.
> > > If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it comes
> > up with the following error:
> > >
> > > "Your certificate contains the same serial number as another certificate
> > issued by the certificate authority. Please get a new certificate containing a
> > unique serial number. (Error code: sec_error_reused_issuer_and_serial)"
> > >
> > > If I remove the stored browser certificate for serverA, then browse to
> > serverB, and accept the certificate, it works, but then the "same serial
> > number" error pops up for browsing serverA.
> > >
> > > Note: both environments were built separately and are not linked in
> > anyway (no replication between prod/dr).
> > >
> > > Is there a way to generate unique serial numbers for the masters?
> > >
> > > Thanks in advance,
> > >
> > > Les
> > >
> > >
> > >
> > Hi Les,
> >
> > Ideally, you should prevent this situation by using different common names
> > (CN) for your CAs and server certifications across the different
> > environments. If this is not possible, you can configure the Dogtag CA to use
> > random serial numbers:
> >
> > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U
> > se_Random_Certificate_Serial_Numbers
> >
> > This does not guarantee that you will not get serial number collisions, but
> > reduces the likelihood.
> >
>
> Thanks for the quick reply.
>
> In this case the common name is different between both
> environments. In prod the master was serverA, in DR the master was
> serverB. It just happened that way. So having a different
> CommonName doesn't help.
>
Do the CA certificates bear the same commonName? This is probably
what Firefox uses to determine if there are serial number
collisions.
> I'll look into the dogtag random certificate serial number
> generation.
>
> Does anyone know of a correct way to re-issue the cert's for each
> master with a random serial number?
>
> Thanks,
>
> Les
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list