[Pki-devel] [PATCH] random certificate serial numbers

Tue Feb 19 01:34:00 UTC 2013

This patch adds support for random certificate serial numbers.

Bug 912554.


-------------- next part --------------
Index: pki/dogtag/console-ui/CMSAdminRS.properties
===================================================================

--- pki/dogtag/console-ui/CMSAdminRS.properties	(revision 2521)
+++ pki/dogtag/console-ui/CMSAdminRS.properties	(working copy)
@@ -378,6 +378,12 @@
 CAGENERAL_COMBOBOX_ALGORITHM_VALUE_3=SHA256 with RSA
 CAGENERAL_COMBOBOX_ALGORITHM_VALUE_4=SHA512 with RSA
 CAGENERAL_COMBOBOX_ALGORITHM_VALUE_5=SHA1 with DSA
+CAGENERAL_BORDER_MANAGEMENT_LABEL=Serial Number Management
+CAGENERAL_CHECKBOX_MANAGEMENT_LABEL=Enable serial number management
+CAGENERAL_CHECKBOXL_MANAGEMENT_TTIP=Allow CA to manage serial numbers automatically
+CAGENERAL_BORDER_RANDOM_LABEL=Random Certificate Serial Numbers 
+CAGENERAL_CHECKBOX_RANDOM_LABEL=Enable random certificate serial numbers
+CAGENERAL_CHECKBOXL_RANDOM_TTIP=Allow CA to generate random certificate serial numbers
 CAGENERAL_BORDER_SERIAL_LABEL=Certificate Serial Number
 CAGENERAL_LABEL_SERIAL_LABEL=Next Serial Number: (0x)
 CAGENERAL_LABEL_SERIAL_TTIP=Specify the next serial number of the certificate that the CA issues
@@ -387,6 +393,9 @@
 CAGENERAL_BORDER_VALIDITY_LABEL=Certificate Validity
 CAGENERAL_CHECKBOX_VALIDITY_LABEL=Override validity nesting requirement
 CAGENERAL_CHECKBOXL_VALIDITY_TTIP=Allow CA to issue certificates with validity beyond that of the CA's signing certificate
+CAGENERAL_BORDER_RANDOM_VALIDITY_LABEL=Randomize Certificate Validity
+CAGENERAL_CHECKBOX_RANDOM_VALIDITY_LABEL=Randomize certificate validity
+CAGENERAL_CHECKBOXL_RANDOM_VALIDITY_TTIP=Allow CA to issue certificates with randomized validity
 CAGENERAL_DIALOG_NUMBERFORMAT_MESSAGE=You must specify a numeric value
 CAGENERAL_DIALOG_NUMBERFORMAT_TITLE=Error
 CAGENERAL_CHECKBOX_RA_LABEL=Enable registration authority interaction
Index: pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
===================================================================
--- pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java	(revision 2521)
+++ pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java	(working copy)
@@ -1479,6 +1479,10 @@
         getSigningAlgConfig(params);
         getSerialConfig(params);
         getMaxSerialConfig(params);
+        params.add(Constants.PR_SN_MANAGEMENT,
+            Boolean.toString(mCA.getDBSubsystem().getEnableSerialMgmt()));
+        params.add(Constants.PR_RANDOM_SN,
+            Boolean.toString(mCA.getCertificateRepository().getEnableRandomSerialNumbers()));
   
         sendResponse(SUCCESS, null, params, resp);
     }
@@ -1555,6 +1559,11 @@
                 mCA.setStartSerial(value);
             } else if (key.equals(Constants.PR_MAXSERIAL)) {
                 mCA.setMaxSerial(value);
+            } else if (key.equals(Constants.PR_SN_MANAGEMENT)) {
+                mCA.getDBSubsystem().setEnableSerialMgmt(Boolean.valueOf(value));
+                //mCA.getCertificateRepository().setEnableSerialMgmt(Boolean.valueOf(value));
+            } else if (key.equals(Constants.PR_RANDOM_SN)) {
+                mCA.getCertificateRepository().setEnableRandomSerialNumbers(Boolean.valueOf(value), true);
             }
         }
 
Index: pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
===================================================================
--- pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java	(revision 2521)
+++ pki/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java	(working copy)
@@ -33,6 +33,7 @@
 import com.netscape.certsrv.policy.*;
 import com.netscape.certsrv.security.*;
 import com.netscape.certsrv.publish.*;
+import com.netscape.certsrv.dbs.*;
 import com.netscape.certsrv.dbs.certdb.*;
 import com.netscape.certsrv.dbs.crldb.*;
 import com.netscape.certsrv.dbs.replicadb.*;
@@ -465,6 +466,13 @@
     public IService getCAService();
 
     /**
+     * Retrieves the DB subsystem managing internal data storage.
+     *
+     * @return DB subsystem object
+     */
+    public IDBSubsystem getDBSubsystem();
+
+    /**
      * Returns the in-memory count of the processed OCSP requests.
      *
      * @return number of processed OCSP requests in memory
Index: pki/base/common/src/com/netscape/certsrv/common/Constants.java
===================================================================
--- pki/base/common/src/com/netscape/certsrv/common/Constants.java	(revision 2521)
+++ pki/base/common/src/com/netscape/certsrv/common/Constants.java	(working copy)
@@ -341,10 +341,14 @@
      * Certificate Authority
      *========================================================*/
     public final static String PR_VALIDITY = "validity";
+    //public final static String PR_RANDOM_VALIDITY = "randomValidity";
+    //public final static String PR_RANDOM_VALIDITY_BITS = "randomValidityBits";
     public final static String PR_DEFAULT_ALGORITHM = "defaultSigningAlgorithm";
     public final static String PR_ALL_ALGORITHMS = "allSigningAlgorithms";
     public final static String PR_SERIAL = "startSerialNumber";
     public final static String PR_MAXSERIAL = "maxSerialNumber";
+    public final static String PR_SN_MANAGEMENT = "serialNumberManagement";
+    public final static String PR_RANDOM_SN = "randomSerialNumbers";
 
     /*========================================================
      * Access Control
Index: pki/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java
===================================================================
--- pki/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java	(revision 2521)
+++ pki/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java	(working copy)
@@ -37,6 +37,7 @@
 
 	public final static String ATTR_SERIALNO = "serialNo";
 	public final static String ATTR_PUB_STATUS = "publishingStatus";
+	public final static String ATTR_DESCRIPTION = "description";
 
 	/**
 	 * Retrieves serial number.
@@ -46,4 +47,6 @@
 	public BigInteger getSerialNumber();
 
 	public String getPublishingStatus();
+
+	public String getDescription();
 }
Index: pki/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java
===================================================================
--- pki/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java	(revision 2521)
+++ pki/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java	(working copy)
@@ -205,6 +205,39 @@
     public void setEnableSerialMgmt(boolean value) throws EBaseException;
 
     /**
+     * Gets replica ID
+     *
+     * @return replica ID
+     */
+    public int getReplicaID();
+
+    /**
+     * Gets internal DB configuration store
+     *
+     * @return internal DB configuration store
+     */
+    public IConfigStore getConfigStore();
+
+    /**
+     * Gets DB subsystem configuration store
+     *
+     * @return DB subsystem configuration store
+     */
+    public IConfigStore getDBConfigStore();
+
+    /**
+     * Gets attribute value for specified entry
+     *
+     * @param dn            entry's distinguished name 
+     * @param attrName      attribute's name 
+     * @param defaultValue  attribute's default value 
+     * @param errorValue    attribute's error value 
+     * @return attribute value
+     */
+    public String getEntryAttribute(String dn, String attrName,
+                                    String defaultValue, String errorValue);
+
+    /**
      * Returns LDAP connection to connection pool.
      *
      * @param conn connection to be returned
Index: pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
===================================================================
--- pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java	(revision 2521)
+++ pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java	(working copy)
@@ -508,5 +508,22 @@
      */
     public void removeCertRecords(BigInteger beginS, BigInteger endS) throws EBaseException;
 
+    /**
+     * Retrieves serial number management mode.
+     *
+     * @return serial number management mode,
+     * "true" indicates random serial number management,
+     * "false" indicates sequential serial number management.
+     */
+    public boolean getEnableRandomSerialNumbers();
+
+    /**
+     * Sets serial number management mode for certificates..
+     *
+     * @param random "true" sets random serial number management, "false" sequential
+     * @param updateMode "true" updates "description" attribute in certificate repository
+     */
+    public void setEnableRandomSerialNumbers(boolean random, boolean updateMode);
+
     public void shutdown();
 }
Index: pki/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java
===================================================================
--- pki/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java	(revision 2521)
+++ pki/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java	(working copy)
@@ -59,6 +59,7 @@
     private DBRegistry mRegistry = null;
     private String mBaseDN = null;
     private ISubsystem mOwner = null;
+    private int mReplicaID = -1;
 
     private Hashtable[] mRepos = null;
 
@@ -141,8 +142,6 @@
     private static final String PROP_INCREMENT_NAME = "increment_name";
     private static final String PROP_RANGE_DN="rangeDN";
 
-    private static final BigInteger BI_ONE = new BigInteger("1");
-
     private ILogger mLogger = null;
  
     // singleton enforcement
@@ -212,6 +211,10 @@
         mEnableSerialMgmt = v;
     }
 
+    public int getReplicaID() {
+        return mReplicaID;
+    }
+
     public BigInteger getNextSerialConfig() {
         return mNextSerialConfig;
     }
@@ -437,7 +440,7 @@
             conn.modify( dn, mods );
 
             // Add new range object
-            String endRange = nextRangeNo.add(incrementNo).subtract(BI_ONE).toString();
+            String endRange = nextRangeNo.add(incrementNo).subtract(BigInteger.ONE).toString();
             LDAPAttributeSet attrs = new LDAPAttributeSet();
             attrs.add(new LDAPAttribute("objectClass", "top"));
             attrs.add(new LDAPAttribute("objectClass", "pkiRange"));
@@ -449,6 +452,8 @@
             String dn2 = "cn=" + nextRange + "," + rangeDN;
             LDAPEntry rangeEntry = new LDAPEntry(dn2, attrs);
             conn.add(rangeEntry);
+            CMS.debug("DBSubsystem: getNextRange  Next range has been added: " +
+                      nextRange + " - " + endRange);
         } catch (Exception e) {
             CMS.debug("DBSubsystem: getNextRange. Unable to provide next range :" + e);
             e.printStackTrace();
@@ -547,6 +552,7 @@
                 PROP_NEXT_SERIAL_NUMBER, "0"), 16);
 
             mEnableSerialMgmt = mDBConfig.getBoolean(PROP_ENABLE_SERIAL_MGMT, false);
+            CMS.debug("DBSubsystem: init()  mEnableSerialMgmt="+mEnableSerialMgmt);
 
             // populate the certs hash entry
             Hashtable certs = new Hashtable();
@@ -800,14 +806,72 @@
                 reg.registerAttribute(IRepositoryRecord.ATTR_PUB_STATUS,
                     new StringMapper(RepositorySchema.LDAP_ATTR_PUB_STATUS));
             }
+            if (!reg.isAttributeRegistered(IRepositoryRecord.ATTR_DESCRIPTION)) {
+                reg.registerAttribute(IRepositoryRecord.ATTR_DESCRIPTION,
+                    new StringMapper(RepositorySchema.LDAP_ATTR_DESCRIPTION));
+            }
 
         } catch (EBaseException e) {
             if (CMS.isPreOpMode())
                 return;
             throw e;
         }
+
+        if (!CMS.isPreOpMode()) {
+            String dn = null;
+            try {
+                dn = "cn=replica,cn=\""+mBaseDN+"\",cn=mapping tree,cn=config";
+                mReplicaID = Integer.parseInt(getEntryAttribute(dn, "nsDS5ReplicaId", "0", "-1"));
+                CMS.debug("DBSubsystem: init()  mReplicaID="+mReplicaID);
+            } catch (Exception e) {
+                CMS.debug("DBSubsystem: init(). Unable to identify replica ID:" + e.getMessage());
+            }
+        }
     }
 
+    public String getEntryAttribute(String dn, String attrName,
+                                    String defaultValue, String errorValue) {
+        LDAPConnection conn = null;
+        String attrValue = null;
+        //CMS.debug("DBSubsystem: getEntryAttribute:  dn="+dn+"  attrName="+attrName+
+        //          "  defaultValue="+defaultValue+"  errorValue="+errorValue);
+        try {
+            conn = mLdapConnFactory.getConn();
+            String[] attrs = { attrName };
+            LDAPEntry entry = conn.read(dn, attrs);
+            if (entry != null) {
+                LDAPAttribute attr =  entry.getAttribute(attrName);
+                if (attr != null) {
+                    attrValue = (String) attr.getStringValues().nextElement();
+                } else {
+                    attrValue = defaultValue;
+                }
+            } else {
+                attrValue = errorValue;
+            }
+        } catch (LDAPException e) {
+            CMS.debug("DBSubsystem: getEntryAttribute  LDAPException  code="+e.getLDAPResultCode());
+            if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) {
+                attrValue = defaultValue;
+            }
+        } catch (Exception e) {
+            CMS.debug("DBSubsystem: getEntryAttribute. Unable to retrieve '"+attrName+"': "+ e);
+            attrValue = errorValue;
+        } finally {
+            try {
+                if ((conn != null) && (mLdapConnFactory != null)) {
+                    CMS.debug("Releasing ldap connection");
+                    mLdapConnFactory.returnConn(conn);
+                }
+            } catch (Exception e) {
+                CMS.debug("Error releasing the ldap connection" + e.toString());
+            }
+        }
+        CMS.debug("DBSubsystem: getEntryAttribute:  dn="+dn+"  attr="+attrName+":"+attrValue+";");
+
+        return attrValue;
+    }
+
     /**
      * Starts up this service.
      */
@@ -815,13 +879,20 @@
     }
 	
     /**
-     * Retrieves configuration store.
+     * Retrieves internal DB configuration store.
      */
     public IConfigStore getConfigStore() {
         return mConfig;
     }
 
     /**
+     * Retrieves DB subsystem configuration store.
+     */
+    public IConfigStore getDBConfigStore() {
+        return mDBConfig;
+    }
+
+    /**
      * Retrieves base DN of backend database.
      */
     public String getBaseDN() {
Index: pki/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java
===================================================================
--- pki/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java	(revision 2521)
+++ pki/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java	(working copy)
@@ -41,11 +41,13 @@
 
     private BigInteger mSerialNo = null;
     private String mPublishingStatus = null;
+    private String mDescription = null;
 
     protected static Vector mNames = new Vector();
     static {
         mNames.addElement(IRepositoryRecord.ATTR_SERIALNO);
         mNames.addElement(IRepositoryRecord.ATTR_PUB_STATUS);
+        mNames.addElement(IRepositoryRecord.ATTR_DESCRIPTION);
     }
 
     /**
@@ -63,6 +65,8 @@
             mSerialNo = (BigInteger) obj;
         } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_PUB_STATUS)) {
             mPublishingStatus = (String) obj;
+        } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_DESCRIPTION)) {
+            mDescription = (String) obj;
         } else {
             throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
         }
@@ -76,6 +80,8 @@
             return mSerialNo;
         } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_PUB_STATUS)) {
             return mPublishingStatus;
+        } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_DESCRIPTION)) {
+            return mDescription;
         } else {
             throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
         }
@@ -109,4 +115,8 @@
     public String getPublishingStatus() {
         return mPublishingStatus;
     }
+
+    public String getDescription() {
+        return mDescription;
+    }
 }
Index: pki/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java
===================================================================
--- pki/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java	(revision 2521)
+++ pki/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java	(working copy)
@@ -41,4 +41,5 @@
     public static final String LDAP_OC_REPOSITORY = "repository";
     public static final String LDAP_ATTR_SERIALNO = "serialno";
     public static final String LDAP_ATTR_PUB_STATUS = "publishingStatus";
+    public final static String LDAP_ATTR_DESCRIPTION = "description";
 }
Index: pki/base/common/src/com/netscape/cmscore/dbs/Repository.java
===================================================================
--- pki/base/common/src/com/netscape/cmscore/dbs/Repository.java	(revision 2521)
+++ pki/base/common/src/com/netscape/cmscore/dbs/Repository.java	(working copy)
@@ -48,9 +48,7 @@
 
 public abstract class Repository implements IRepository {
 
-    private static final BigInteger BI_ONE = new BigInteger("1");
     private BigInteger BI_INCREMENT = null;
-    private static final BigInteger BI_ZERO = new BigInteger("0");
     // (the next serialNo to be issued) - 1
     private BigInteger mSerialNo = null; 
     // the serialNo attribute stored in db
@@ -61,8 +59,10 @@
     private String mNextMaxSerial = null;
     private String mNextMinSerial = null;
 
-    private BigInteger mMinSerialNo = null;
-    private BigInteger mMaxSerialNo = null;
+    protected boolean mEnableRandomSerialNumbers = false;
+    protected BigInteger mCounter = null;
+    protected BigInteger mMinSerialNo = null;
+    protected BigInteger mMaxSerialNo = null;
     private BigInteger mNextMinSerialNo = null;
     private BigInteger mNextMaxSerialNo = null;
 
@@ -152,6 +152,7 @@
         }
 
         BigInteger serial = rec.getSerialNumber();
+        CMS.debug("Repository: getSerialNumber  serial="+serial);
 
         if (!mInit) {
             // cms may crash after issue a cert but before update 
@@ -161,7 +162,7 @@
                         serial + "," + mBaseDN);
 
                 if (obj != null) {
-                    serial = serial.add(BI_ONE);
+                    serial = serial.add(BigInteger.ONE);
                     setSerialNumber(serial);
                 }
             }catch (EBaseException e) {
@@ -249,6 +250,9 @@
        return mMinSerial;
     }
 
+    protected void setLastSerialNo(BigInteger lastSN) {
+        mLastSerialNo = lastSN;
+    }
 
     /**
      * init serial number cache
@@ -323,6 +327,11 @@
 
     }
    
+    protected void initCacheIfNeeded() throws EBaseException {
+        if (mLastSerialNo == null) 
+            initCache();
+    }
+
     /**
      * get the next serial number in cache
      */
@@ -331,7 +340,7 @@
         CMS.debug("Repository:In getTheSerialNumber " );
         if (mLastSerialNo == null) 
             initCache();
-        BigInteger serial = new BigInteger((mLastSerialNo.add(BI_ONE)).toString());
+        BigInteger serial = mLastSerialNo.add(BigInteger.ONE);
 
         if (mMaxSerialNo != null && serial.compareTo(mMaxSerialNo) > 0)
             return null;
@@ -360,7 +369,7 @@
         // < BI_INCREMENT and server restart right afterwards.
         mDB.setNextSerialConfig(num);
 
-        mSerialNo = num.subtract(BI_ONE);
+        mSerialNo = num.subtract(BigInteger.ONE);
         mNext = num.add(BI_INCREMENT);
         setSerialNumber(mNext);
     }
@@ -379,23 +388,43 @@
  
         if (mLastSerialNo == null) {
             initCache();
-
-            mLastSerialNo = mLastSerialNo.add(BI_ONE);
-            
-          
-        } else {
-            mLastSerialNo = mLastSerialNo.add(BI_ONE);
         }
-
-        if( mLastSerialNo == null ) {
+        if (mLastSerialNo == null) {
             CMS.debug( "Repository::getNextSerialNumber() " +
                        "- mLastSerialNo is null!" );
             throw new EBaseException( "mLastSerialNo is null" );
         }
 
+        mLastSerialNo = mLastSerialNo.add(BigInteger.ONE);
+
+        checkRange();
+
+        BigInteger retSerial = new BigInteger(mLastSerialNo.toString());
+
+        CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial);
+        return retSerial; 
+    }
+
+    /**
+     * Checks to see if range needs to be switched.
+     *      
+     * @exception EBaseException thrown when next range is not allocated
+     */
+    protected void checkRange() throws EBaseException 
+    {
         // check if we have reached the end of the range
         // if so, move to next range
-        if (mLastSerialNo.compareTo( mMaxSerialNo ) > 0 ) {
+        BigInteger randomLimit = null;
+        if ((this instanceof ICertificateRepository) &&
+            mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) {
+            randomLimit = mMaxSerialNo.subtract(mMinSerialNo).add(BigInteger.ONE);
+            randomLimit = randomLimit.subtract(mLowWaterMarkNo.shiftRight(1));
+            CMS.debug("Repository: checkRange  randomLimit="+randomLimit);
+        }
+        CMS.debug("Repository: checkRange  mLastSerialNo="+mLastSerialNo);
+        if (mLastSerialNo.compareTo( mMaxSerialNo ) > 0 ||
+            (randomLimit != null && mCounter.compareTo(randomLimit) > 0)) {
+
             if (mDB.getEnableSerialMgmt()) {
                 CMS.debug("Reached the end of the range.  Attempting to move to next range");
                 mMinSerialNo = mNextMinSerialNo;
@@ -409,8 +438,8 @@
                 }
 
                 // persist the changes
-                mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString());
-                mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString());
+                mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString(mRadix));
+                mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString(mRadix));
                 mDB.setNextMinSerialConfig(mRepo, null);
                 mDB.setNextMaxSerialConfig(mRepo, null);
             } else {
@@ -418,11 +447,6 @@
                         mLastSerialNo.toString()));
             }
         }
-
-        BigInteger retSerial = new BigInteger(mLastSerialNo.toString());
-
-        CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial);
-        return retSerial; 
     }
 
     /**
@@ -445,13 +469,19 @@
         if (mLastSerialNo == null)
             initCache();
 
-        BigInteger numsInRange = mMaxSerialNo.subtract(mLastSerialNo);
+        BigInteger numsInRange = null;
+        if ((this instanceof ICertificateRepository) &&
+            mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) {
+            numsInRange = (mMaxSerialNo.subtract(mMinSerialNo)).subtract(mCounter);
+        } else {
+            numsInRange = mMaxSerialNo.subtract(mLastSerialNo);
+        }
         BigInteger numsInNextRange = null;
         BigInteger numsAvail = null;
         CMS.debug("Serial numbers left in range: " + numsInRange.toString());
         CMS.debug("Last Serial Number: " + mLastSerialNo.toString());
         if ((mNextMaxSerialNo != null) && (mNextMinSerialNo != null)) {
-            numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo);
+            numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo).add(BigInteger.ONE);
             numsAvail = numsInRange.add(numsInNextRange);
             CMS.debug("Serial Numbers in next range: " + numsInNextRange.toString());
             CMS.debug("Serial Numbers available: " + numsAvail.toString());
@@ -467,7 +497,7 @@
                 CMS.debug("Next Range not available");
             } else {
                 CMS.debug("nNextMinSerialNo has been set to " + mNextMinSerialNo.toString(mRadix));
-                mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo);
+                mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo).subtract(BigInteger.ONE);
                 numsAvail = numsAvail.add(mIncrementNo);
                 mDB.setNextMinSerialConfig(mRepo, mNextMinSerialNo.toString(mRadix));
                 mDB.setNextMaxSerialConfig(mRepo, mNextMaxSerialNo.toString(mRadix));
Index: pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java
===================================================================
--- pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java	(revision 2521)
+++ pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java	(working copy)
@@ -52,7 +52,15 @@
 public class CertificateRepository extends Repository
     implements ICertificateRepository {
 
-    public final String CERT_X509ATTRIBUTE = "x509signedcert";
+    private static final String PROP_ENABLE_RANDOM_SERIAL_NUMBERS = "enableRandomSerialNumbers";
+    private static final String PROP_RANDOM_SERIAL_NUMBER_COUNTER = "randomSerialNumberCounter";
+    private static final String PROP_FORCE_MODE_CHANGE = "forceModeChange";
+    private static final String PROP_RANDOM_MODE = "random";
+    private static final String PROP_SEQUENTIAL_MODE = "sequential";
+    private static final String PROP_COLLISION_RECOVERY_STEPS = "collisionRecoverySteps";
+    private static final String PROP_COLLISION_RECOVERY_REGENERATIONS = "collisionRecoveryRegenerations";
+    private static final BigInteger BI_MINUS_ONE = (BigInteger.ZERO).subtract(BigInteger.ONE);
+    private final int REPLICA_BITS = 16;
 
     private IDBSubsystem mDBService;
     private String mBaseDN;
@@ -66,6 +74,18 @@
     private int mTransitMaxRecords = 1000000;
     private int mTransitRecordPageSize = 200;
 
+    private Random mRandom = null;
+    private int mBitLength = 0;
+    private BigInteger mRangeSize = null;
+    private BigInteger mRandomRangeSize = null;
+    private BigInteger mReplicaID = null;
+    private int mMinRandomBitLength = 4;
+    private int mReplicaBitLength = REPLICA_BITS;
+    private int mMaxCollisionRecoverySteps = 10;
+    private int mMaxCollisionRecoveryRegenerations = 3;
+    private IConfigStore mDBConfig = null;
+    private boolean mForceModeChange = false;
+
     /**
      * Constructs a certificate repository.
      */
@@ -75,17 +95,297 @@
         mBaseDN = certRepoBaseDN;
       
         mDBService = dbService;
-
-        // registers CMS database attributes
-        IDBRegistry reg = dbService.getRegistry();
-
-        IConfigStore cfg = mDBService.getConfigStore();
+        mDBConfig = mDBService.getDBConfigStore();
     }
 
     public ICertRecord createCertRecord(BigInteger id, Certificate cert, MetaInfo meta) {
         return new CertRecord(id, cert, meta);
     }
 
+    public boolean getEnableRandomSerialNumbers() {
+        return mEnableRandomSerialNumbers;
+    }
+
+    public void setEnableRandomSerialNumbers(boolean random, boolean updateMode) {
+        if (mEnableRandomSerialNumbers ^ random) {
+            mEnableRandomSerialNumbers = random;
+            CMS.debug("CertificateRepository:  setEnableRandomSerialNumbers   switching to " +
+                      ((random)?PROP_RANDOM_MODE:PROP_SEQUENTIAL_MODE) + " mode");
+            if (updateMode) {
+                setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE);
+            }
+            mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers);
+
+            BigInteger lastSerialNumber = null;
+            try {
+                lastSerialNumber = getLastSerialNumberInRange(mMinSerialNo,mMaxSerialNo);
+            } catch (Exception e) {
+            }
+            if (lastSerialNumber != null) {
+                super.setLastSerialNo(lastSerialNumber);
+                if (mEnableRandomSerialNumbers) {
+                    mCounter = lastSerialNumber.subtract(mMinSerialNo).add(BigInteger.ONE);
+                    CMS.debug("CertificateRepository:  setEnableRandomSerialNumbers  mCounter="+
+                               mCounter+"="+lastSerialNumber+"-"+mMinSerialNo+"+1");
+                    long t = System.currentTimeMillis();
+                    mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()+","+t);
+                } else {
+                    mCounter = BI_MINUS_ONE;
+                    mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString());
+                }
+            }
+
+            try {
+                CMS.getConfigStore().commit(false);
+            } catch (Exception e) {
+            }
+        }
+    }
+
+    private BigInteger getRandomNumber() throws EBaseException {
+        BigInteger randomNumber = null;
+
+        if (mRandom == null) {
+            mRandom = new Random();
+        }
+        super.initCacheIfNeeded();
+
+        if (mRangeSize == null || mReplicaID == null) {
+            mRangeSize = (mMaxSerialNo.subtract(mMinSerialNo)).add(BigInteger.ONE);
+            mBitLength = mRangeSize.bitLength();
+            int rid = mDBService.getReplicaID();
+            rid = -1;  // shared ranges using replica IDs are postponed
+            if (rid > -1) {
+                mReplicaID = new BigInteger((new Integer(rid)).toString());
+            } else {
+                mReplicaBitLength = 0;
+            }
+            mRandomRangeSize = mRangeSize.shiftRight(mReplicaBitLength);
+        }
+        if (mBitLength - mReplicaBitLength < mMinRandomBitLength) {
+            CMS.debug("CertificateRepository: getRandomNumber:  Range size is too small to support random certificate serial numbers.");
+            throw new EBaseException ("Range size is too small to support random certificate serial numbers.");
+        }
+        randomNumber = new BigInteger((mBitLength-mReplicaBitLength), mRandom);
+        randomNumber = (randomNumber.multiply(mRandomRangeSize)).shiftRight(mBitLength-mReplicaBitLength);
+        CMS.debug("CertificateRepository: getRandomNumber  randomNumber="+randomNumber);
+
+        return randomNumber; 
+    }
+
+    private BigInteger getRandomSerialNumber(BigInteger randomNumber) throws EBaseException {
+        BigInteger nextSerialNumber = null;
+
+        if (mReplicaBitLength > 0) {
+            nextSerialNumber = (randomNumber.shiftLeft(mReplicaBitLength)).add(mReplicaID);
+        } else {
+            nextSerialNumber = randomNumber;
+        }
+        nextSerialNumber = (nextSerialNumber.add(mMinSerialNo)).subtract(BigInteger.ONE);
+        CMS.debug("CertificateRepository: getRandomSerialNumber  nextSerialNumber="+nextSerialNumber);
+
+        return nextSerialNumber; 
+    }
+
+    private BigInteger checkSerialNumbers(BigInteger randomNumber, BigInteger serialNumber) throws EBaseException {
+        BigInteger nextSerialNumber = null;
+        BigInteger initialRandomNumber = randomNumber;
+        BigInteger delta = BigInteger.ZERO;
+        int i = 0;
+        int n = mMaxCollisionRecoverySteps;
+
+        do {
+            CMS.debug("CertificateRepository: checkSerialNumbers  checking("+(i+1)+")="+serialNumber);
+            try {
+                if (readCertificateRecord(serialNumber) != null) {
+                    CMS.debug("CertificateRepository: checkSerialNumbers  collision detected for serialNumber="+serialNumber);
+                }
+            } catch (EDBRecordNotFoundException nfe) {
+                CMS.debug("CertificateRepository: checkSerialNumbers  serial number "+serialNumber+" is available");
+                nextSerialNumber = serialNumber;
+            } catch (Exception e) {
+                CMS.debug("CertificateRepository: checkSerialNumbers  Exception="+e.getMessage());
+            }
+
+            if (nextSerialNumber == null) {
+                if (i%2 == 0) {
+                    delta = delta.add(BigInteger.ONE);
+                    serialNumber = getRandomSerialNumber(initialRandomNumber.add(delta));
+
+                    if (mMaxSerialNo != null && serialNumber.compareTo(mMaxSerialNo) > 0) {
+                        serialNumber = getRandomSerialNumber(initialRandomNumber.subtract(delta));
+                        i++;
+                        n++;
+                    }
+                } else {
+                    serialNumber = getRandomSerialNumber(initialRandomNumber.subtract(delta));
+                    if (mMinSerialNo != null && serialNumber.compareTo(mMinSerialNo) < 0) {
+                        delta = delta.add(BigInteger.ONE);
+                        serialNumber = getRandomSerialNumber(initialRandomNumber.add(delta));
+                        i++;
+                        n++;
+                    }
+                }
+                i++;
+            }
+        } while (nextSerialNumber == null && i < n);
+
+        return nextSerialNumber; 
+    }
+
+    private Object nextSerialNumberMonitor = new Object();
+
+    public BigInteger getNextSerialNumber() throws
+            EBaseException {
+
+        BigInteger nextSerialNumber = null;
+        BigInteger randomNumber = null;
+
+        synchronized (nextSerialNumberMonitor) {
+            CMS.debug("CertificateRepository: getNextSerialNumber  mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers);
+
+            if (mEnableRandomSerialNumbers) {
+                int i = 0;
+                do {
+                    if (i > 0) {
+                        CMS.debug("CertificateRepository: getNextSerialNumber  regenerating serial number");
+                    }
+                    randomNumber = getRandomNumber();
+                    nextSerialNumber = getRandomSerialNumber(randomNumber);
+                    nextSerialNumber = checkSerialNumbers(randomNumber, nextSerialNumber);
+                    i++;
+                } while (nextSerialNumber == null && i < mMaxCollisionRecoveryRegenerations);
+
+                if (nextSerialNumber == null) {
+                    CMS.debug("CertificateRepository: in getNextSerialNumber  nextSerialNumber is null");
+                    throw new EBaseException( "nextSerialNumber is null" );
+                }
+
+                if (mCounter.compareTo(BigInteger.ZERO) >= 0 &&
+                    mMinSerialNo != null && mMaxSerialNo != null &&
+                    nextSerialNumber != null &&
+                    nextSerialNumber.compareTo(mMinSerialNo) >= 0 &&
+                    nextSerialNumber.compareTo(mMaxSerialNo) <= 0) {
+                    mCounter = mCounter.add(BigInteger.ONE);
+                }
+                CMS.debug("CertificateRepository: getNextSerialNumber  nextSerialNumber="+
+                          nextSerialNumber+"  mCounter="+mCounter);
+
+                super.checkRange();
+            } else {
+                nextSerialNumber = super.getNextSerialNumber();
+            }
+        }
+
+        return nextSerialNumber; 
+    }
+
+    private void updateCounter() {
+        CMS.debug("CertificateRepository: updateCounter  mEnableRandomSerialNumbers="+
+                  mEnableRandomSerialNumbers+"  mCounter="+mCounter);
+        try {
+            super.initCacheIfNeeded();
+        } catch (Exception e) {
+            CMS.debug("CertificateRepository: updateCounter  Exception from initCacheIfNeeded: "+e.getMessage());
+        }
+
+        String crMode = mDBService.getEntryAttribute(mBaseDN, IRepositoryRecord.ATTR_DESCRIPTION, "", null);
+
+        boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) ||
+                             ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE));
+        CMS.debug("CertificateRepository: updateCounter  modeChange="+modeChange);
+        if (modeChange) {
+            if (mForceModeChange) {
+                setEnableRandomSerialNumbers(mEnableRandomSerialNumbers, true);
+            } else {
+                setEnableRandomSerialNumbers(!mEnableRandomSerialNumbers, false);
+            }
+        } else if (mEnableRandomSerialNumbers && mCounter != null &&
+                   mCounter.compareTo(BigInteger.ZERO) >= 0) {
+            long t = System.currentTimeMillis();
+            mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()+","+t);
+            try {
+                CMS.getConfigStore().commit(false);
+            } catch (Exception e) {
+                CMS.debug("CertificateRepository: updateCounter  Exception committing ConfigStore="+e.getMessage());
+            }
+        }
+        CMS.debug("CertificateRepository: UpdateCounter  mEnableRandomSerialNumbers="+
+                  mEnableRandomSerialNumbers+"  mCounter="+mCounter);
+    }
+
+    private BigInteger getInRangeCount(String fromTime, BigInteger  minSerialNo, BigInteger maxSerialNo)
+    throws EBaseException {
+        BigInteger count = BigInteger.ZERO;
+        String filter = null;
+
+        if (fromTime != null && fromTime.length() > 0) {
+            filter = "(certCreateTime >= "+fromTime+")";
+        } else {
+            filter = "(&("+ICertRecord.ATTR_ID+">="+minSerialNo+")("+
+                           ICertRecord.ATTR_ID+"<="+maxSerialNo+"))";
+        }
+        CMS.debug("CertificateRepository: getInRangeCount  filter="+filter+
+                  "  minSerialNo="+minSerialNo+"  maxSerialNo="+maxSerialNo);
+
+        Enumeration e = findCertRecs(filter, new String[] {ICertRecord.ATTR_ID, "objectclass"});
+        while (e != null && e.hasMoreElements()) {
+            ICertRecord rec = (ICertRecord) e.nextElement();
+            if (rec != null) {
+                BigInteger sn = rec.getSerialNumber();
+                if (fromTime == null || fromTime.length() == 0 ||
+                    (minSerialNo != null && maxSerialNo != null &&
+                     sn != null && sn.compareTo(minSerialNo) >= 0 &&
+                     sn.compareTo(maxSerialNo) <= 0)) {
+                    count = count.add(BigInteger.ONE);
+                }
+            }
+        }
+        CMS.debug("CertificateRepository: getInRangeCount  count=" + count);
+
+        return count; 
+    }
+
+    private BigInteger getInRangeCounter(BigInteger  minSerialNo, BigInteger maxSerialNo)
+    throws EBaseException {
+        String c = null;
+        String t = null;
+        String s = (mDBConfig.getString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-1")).trim();
+        CMS.debug("CertificateRepository: getInRangeCounter:  saved counter string="+s);
+        int i = s.indexOf(',');
+        int n = s.length();
+        if (i > -1) {
+            if (i > 0) {
+                c = s.substring(0, i);
+                if (i < n) {
+                    t = s.substring(i+1);
+                }
+            } else {
+                c = "-1";
+            }
+        } else {
+            c = s;
+        }
+        CMS.debug("CertificateRepository: getInRangeCounter:  c=" + c + ((t != null)?("  t="+t):""));
+
+        BigInteger counter = new BigInteger(c);
+        BigInteger count = BigInteger.ZERO;
+        if (t != null) {
+            count = getInRangeCount(t, minSerialNo, maxSerialNo);
+            if (count.compareTo(BigInteger.ZERO) > 0) {
+                counter = counter.add(count);
+            }
+        } else if (s.equals("-2")) {
+            count = getInRangeCount(t, minSerialNo, maxSerialNo);
+            if (count.compareTo(BigInteger.ZERO) >= 0) {
+                counter = count;
+            }
+        }
+        CMS.debug("CertificateRepository: getInRangeCounter:  counter=" + counter);
+
+        return counter; 
+    }
+
     public BigInteger getLastSerialNumberInRange(BigInteger  serial_low_bound, BigInteger serial_upper_bound)
     throws EBaseException {
 
@@ -97,8 +397,42 @@
 
         }
 
-        String ldapfilter = "(" + "certstatus" + "=*" + ")";
+        mEnableRandomSerialNumbers = mDBConfig.getBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, false);
+        mForceModeChange = mDBConfig.getBoolean(PROP_FORCE_MODE_CHANGE, false);
+        String crMode = mDBService.getEntryAttribute(mBaseDN, IRepositoryRecord.ATTR_DESCRIPTION, "", null);
+        mMaxCollisionRecoverySteps = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_STEPS, 10);
+        mMaxCollisionRecoveryRegenerations = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_REGENERATIONS, 3);
+        boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) ||
+                             ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE));
+        CMS.debug("CertificateRepository: getLastSerialNumberInRange"+
+                  "  mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers+
+                  "  CollisionRecovery="+mMaxCollisionRecoveryRegenerations+","+mMaxCollisionRecoverySteps);
+        CMS.debug("CertificateRepository: getLastSerialNumberInRange  modeChange="+modeChange+
+                  "  mForceModeChange="+mForceModeChange+((crMode != null)?("  mode="+crMode):""));
+        if (modeChange) {
+            if (mForceModeChange) {
+                setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE);
+                mForceModeChange = false;
+                mDBConfig.remove(PROP_FORCE_MODE_CHANGE);
+            } else {
+                mEnableRandomSerialNumbers = !mEnableRandomSerialNumbers;
+                mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers);
+            }
+        }  
+        if (mEnableRandomSerialNumbers && mCounter == null) {
+            mCounter = getInRangeCounter(serial_low_bound, serial_upper_bound);
+        } else {
+            mCounter = BI_MINUS_ONE;
+        }
+        mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString());
+        try {
+            CMS.getConfigStore().commit(false);
+        } catch (Exception e) {
+        }
+        CMS.debug("CertificateRepository: getLastSerialNumberInRange  mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers);
 
+        String ldapfilter = "("+ICertRecord.ATTR_CERT_STATUS+"=*"+")";
+
         String[] attrs = null;
 
         ICertRecordList recList = findCertRecordsInList(ldapfilter,attrs,serial_upper_bound.toString(10),"serialno", 5 * -1);
@@ -112,7 +446,7 @@
 
             BigInteger ret = new BigInteger(serial_low_bound.toString(10));
 
-            ret = ret.add(new BigInteger("-1")); 
+            ret = ret.subtract(BigInteger.ONE); 
             CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret);
             return ret;
         }
@@ -151,7 +485,7 @@
 
         BigInteger ret = new BigInteger(serial_low_bound.toString(10));
 
-        ret = ret.add(new BigInteger("-1")); 
+        ret = ret.subtract(BigInteger.ONE); 
 
         CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret);
         return ret; 
@@ -279,6 +613,7 @@
         transitRevokedExpiredCertificates();
         CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER,
             CMS.getLogMessage("CMSCORE_DBS_FINISH_REVOKED_EXPIRED_SEARCH"));
+        updateCounter();
     }
 
     /**
@@ -653,6 +988,50 @@
         return rec;
     }
 
+    public boolean checkCertificateRecord(BigInteger serialNo)
+        throws EBaseException {
+        IDBSSession s = mDBService.createSession();
+        CertRecord rec = null;
+        boolean exists = true;
+
+        try {
+            String name = "cn" + "=" +
+                serialNo.toString() + "," + getDN();
+            String attrs[] = { "DN" };
+
+            rec = (CertRecord) s.read(name, attrs);
+            if (rec == null) exists = false;
+        } catch (EDBRecordNotFoundException e) {
+            exists = false;
+        } catch (Exception e) {
+            throw new EBaseException(e.getMessage());
+        } finally {
+            if (s != null) 
+                s.close();
+        }
+        return exists;
+    }
+
+    private void setCertificateRepositoryMode(String mode) {
+        IDBSSession s = null;
+
+        CMS.debug("CertificateRepository: setCertificateRepositoryMode   setting mode: "+mode);
+        try {
+            s = mDBService.createSession();
+            ModificationSet mods = new ModificationSet();
+            String name = getDN();
+            mods.add(IRepositoryRecord.ATTR_DESCRIPTION, Modification.MOD_REPLACE, mode);
+            s.modify(name, mods);
+        } catch (Exception e) {
+            CMS.debug("CertificateRepository: setCertificateRepositoryMode   Exception: "+e.getMessage());
+        }
+        try {
+            if (s != null) s.close();
+        } catch (Exception e) {
+            CMS.debug("CertificateRepository: setCertificateRepositoryMode   Exception: "+e.getMessage());
+        }
+    }
+
     public synchronized void modifyCertificateRecord(BigInteger serialNo,
         ModificationSet mods) throws EBaseException {
         IDBSSession s = mDBService.createSession();
@@ -1191,7 +1570,7 @@
                 String fromVal = "0";
                 try {
                     if (from != null) {
-                      int fv = Integer.parseInt(from);
+                      new BigInteger(from);
                       fromVal = from;
                     }
                 } catch (Exception e1) {
Index: pki/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java
===================================================================
--- pki/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java	(revision 2521)
+++ pki/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java	(working copy)
@@ -47,6 +47,10 @@
     private JTextField mSerialNumber;
     private JTextField mMaxSerialNumber;
     private JCheckBox mValidity;
+    private JCheckBox mRandomValidity;
+    private JTextField mRandomBits;
+    private JCheckBox mEnableSerialNumberManagement;
+    private JCheckBox mEnableRandomSerialNumbers;
     private Vector mGroupData;
     private static final String HELPINDEX =
       "configuration-ca-general-help";
@@ -139,11 +143,11 @@
         gb1.setConstraints(mOCSPEnable, gbc);
         adminPanel.add(mOCSPEnable);
 
-		// add validity block
+        // add validity block
         CMSAdminUtil.resetGBC(gbc);
         mValidity = makeJCheckBox("VALIDITY");
         gbc.anchor = gbc.CENTER;
-        //gbc.gridwidth = gbc.REMAINDER;
+        //gbc.gridwidth = gbc.REMAINDER;  remove this comment when adding random validity
         //gbc.gridheight = gbc.REMAINDER;
         //gbc.weightx = 1.0;
         gbc.weighty = 1.0;
@@ -151,6 +155,20 @@
         validityPanel.add(mValidity);
 
         CMSAdminUtil.resetGBC(gbc);
+        mRandomValidity = makeJCheckBox("RANDOM_VALIDITY");
+        gbc.anchor = gbc.CENTER;
+        gbc.weighty = 1.0;
+        gb4.setConstraints(mRandomValidity, gbc);
+        //validityPanel.add(mRandomValidity);
+
+        CMSAdminUtil.resetGBC(gbc);
+        mRandomBits = makeJTextField(10);
+        gbc.anchor = gbc.CENTER;
+        gbc.weighty = 1.0;
+        gb4.setConstraints(mRandomBits, gbc);
+        //validityPanel.add(mRandomBits);
+
+        CMSAdminUtil.resetGBC(gbc);
         JLabel dummy4 = new JLabel(" ");
         gbc.anchor = gbc.NORTHWEST;
         gbc.gridwidth = gbc.REMAINDER;
@@ -189,49 +207,86 @@
         gb2.setConstraints(dummy1, gbc);
         signingPanel.add(dummy1);
 
+        // add serial number management
+        CMSAdminUtil.resetGBC(gbc);
+        mEnableSerialNumberManagement = makeJCheckBox("MANAGEMENT");
+        //mEnableSerialNumberManagement.setEnabled(false);
+        gbc.anchor = gbc.CENTER;
+        gbc.gridwidth = gbc.REMAINDER;
+        gbc.gridheight = 1;
+        gbc.weightx = 1.0;
+        gbc.weighty = 1.0;
+        gbc.gridx = 0;
+        gbc.gridy = 0;
+        gb3.setConstraints(mEnableSerialNumberManagement, gbc);
+        serialPanel.add(mEnableSerialNumberManagement);
+
+        // add random serial numbers
+        CMSAdminUtil.resetGBC(gbc);
+        mEnableRandomSerialNumbers = makeJCheckBox("RANDOM");
+        gbc.anchor = gbc.CENTER;
+        gbc.gridwidth = gbc.REMAINDER;
+        gbc.gridheight = gbc.REMAINDER; //1;
+        gbc.weightx = 1.0;
+        gbc.weighty = 1.0;
+        gbc.gridx = 0;
+        gbc.gridy = 1;
+        gb3.setConstraints(mEnableRandomSerialNumbers, gbc);
+        serialPanel.add(mEnableRandomSerialNumbers);
+
         // add serial number block
         CMSAdminUtil.resetGBC(gbc);
         JLabel serialLabel = makeJLabel("SERIAL");
+        serialLabel.setEnabled(false);
         gbc.anchor = gbc.CENTER;
         gb3.setConstraints(serialLabel, gbc);
+        gbc.gridwidth = 1;
+        gbc.gridheight = 1;
+        gbc.weightx = 0.0;
         gbc.weighty = 1.0;
-        //gbc.insets = new Insets(COMPONENT_SPACE,0,COMPONENT_SPACE,0);
-        serialPanel.add(serialLabel);
+        gbc.gridx = 0;
+        gbc.gridy = 2;
+        //serialPanel.add(serialLabel);
 
         CMSAdminUtil.resetGBC(gbc);
         mSerialNumber = makeJTextField(17);
         mSerialNumber.setEnabled(false);
         gbc.anchor = gbc.NORTHWEST;
-        //gbc.gridwidth = gbc.REMAINDER;
-        //gbc.gridheight = gbc.REMAINDER;
-        //gbc.weightx = 1.0;
+        gbc.gridwidth = 1;
+        gbc.gridheight = 1;
+        gbc.weightx = 0.0;
         gbc.weighty = 1.0;
+        gbc.gridx = 1;
+        gbc.gridy = 2;
         gb3.setConstraints(mSerialNumber, gbc);
-        serialPanel.add(mSerialNumber);
+        //serialPanel.add(mSerialNumber);
 
         // add end serial number block
         CMSAdminUtil.resetGBC(gbc);
         JLabel maxSerialLabel = makeJLabel("MAXSERIAL");
-        gbc.anchor = gbc.EAST;
-        //gbc.insets = new Insets(COMPONENT_SPACE,DIFFERENT_COMPONENT_SPACE,0,0);
+        maxSerialLabel.setEnabled(false);
+        gbc.anchor = gbc.CENTER;
+        gbc.gridwidth = 1;
+        gbc.gridheight = 1;
         gbc.weightx = 0.0;
-        gbc.gridwidth = 1;
+        gbc.weighty = 1.0;
         gbc.gridx = 0;
+        gbc.gridy = 3;
         gb3.setConstraints(maxSerialLabel, gbc);
-        //gbc.weighty = 1.0;
-        serialPanel.add(maxSerialLabel);
+        //serialPanel.add(maxSerialLabel);
 
         CMSAdminUtil.resetGBC(gbc);
         mMaxSerialNumber = makeJTextField(17);
         mMaxSerialNumber.setEnabled(false);
-        gbc.anchor = gbc.NORTHWEST;
-        gbc.gridy = 1;
-        //gbc.gridwidth = gbc.REMAINDER;
-        //gbc.gridheight = gbc.REMAINDER;
-        //gbc.weightx = 1.0;
+        gbc.anchor = gbc.CENTER;
+        gbc.gridwidth = 1;
+        gbc.gridheight = 1;
+        gbc.weightx = 0.0;
         gbc.weighty = 1.0;
+        gbc.gridx = 1;
+        gbc.gridy = 3;
         gb3.setConstraints(mMaxSerialNumber, gbc);
-        serialPanel.add(mMaxSerialNumber);
+        //serialPanel.add(mMaxSerialNumber);
 
         CMSAdminUtil.resetGBC(gbc);
         JLabel dummy2 = new JLabel(" ");
@@ -249,13 +304,17 @@
     public void refresh() {
         mModel.progressStart();
         NameValuePairs nvps = new NameValuePairs();
-        nvps.add(Constants.PR_EE_ENABLED, "");
+        //nvps.add(Constants.PR_EE_ENABLED, "");
         //nvps.add(Constants.PR_RA_ENABLED, "");
         nvps.add(Constants.PR_DEFAULT_ALGORITHM, "");
         nvps.add(Constants.PR_ALL_ALGORITHMS, "");
         nvps.add(Constants.PR_SERIAL, "");
         nvps.add(Constants.PR_MAXSERIAL, "");
         nvps.add(Constants.PR_VALIDITY, "");
+        //nvps.add(Constants.PR_RANDOM_VALIDITY, "");
+        //nvps.add(Constants.PR_RANDOM_VALIDITY_BITS, "");
+        nvps.add(Constants.PR_SN_MANAGEMENT, "");
+        nvps.add(Constants.PR_RANDOM_SN, "");
 
         try {
             NameValuePairs val = mAdmin.read(DestDef.DEST_CA_ADMIN,
@@ -268,6 +327,7 @@
         }
         mModel.progressStop();
         clearDirtyFlag();
+        enableFields();
     }
 
     protected void populate(NameValuePairs nvps) {
@@ -275,16 +335,21 @@
         for (int i=0; i<nvps.size(); i++) {
             NameValuePair nvp = nvps.elementAt(i);
             String name = nvp.getName();
+/*
             if (name.equals(Constants.PR_EE_ENABLED)) {
                 mEEEnable.setSelected(getBoolean(nvp.getValue()));
             } else if (name.equals(Constants.PR_OCSP_ENABLED)) {
                 mOCSPEnable.setSelected(getBoolean(nvp.getValue()));
-/*
             } else if (name.equals(Constants.PR_RA_ENABLED)) {
                 mRAEnable.setSelected(getBoolean(nvp.getValue()));
+            } else
 */
-            } else if (name.equals(Constants.PR_VALIDITY)) {
+            if (name.equals(Constants.PR_VALIDITY)) {
                 mValidity.setSelected(getBoolean(nvp.getValue()));
+            } else if (name.equals(Constants.PR_SN_MANAGEMENT)) {
+                mEnableSerialNumberManagement.setSelected(getBoolean(nvp.getValue()));
+            } else if (name.equals(Constants.PR_RANDOM_SN)) {
+                mEnableRandomSerialNumbers.setSelected(getBoolean(nvp.getValue()));
             } else if (name.equals(Constants.PR_DEFAULT_ALGORITHM)) {
                 defaultAlgorithm = nvp.getValue();
             } else if (name.equals(Constants.PR_ALL_ALGORITHMS)) {
@@ -322,9 +387,19 @@
     }
 
     public void actionPerformed(ActionEvent e) {
+        if (e.getSource().equals(mEnableSerialNumberManagement)) {
+            enableFields();
+        }
         super.actionPerformed(e);
     }
 
+    private void enableFields() {
+        boolean enable = mEnableSerialNumberManagement.isSelected();
+        mEnableRandomSerialNumbers.setEnabled(enable);
+        if (!enable) mEnableRandomSerialNumbers.setSelected(enable);
+        CMSAdminUtil.repaintComp(mEnableRandomSerialNumbers);
+    }
+
     private String hexToDecimal(String hex)
     {
         //String newHex = hex.substring(2);
@@ -339,6 +414,7 @@
     public boolean applyCallback() {
         NameValuePairs nvps = new NameValuePairs();
 
+/*
         if (mEEEnable.isSelected())
             nvps.add(Constants.PR_EE_ENABLED, Constants.TRUE);
         else
@@ -349,7 +425,6 @@
         else
             nvps.add(Constants.PR_OCSP_ENABLED, Constants.FALSE);
 
-/*
         if (mRAEnable.isSelected())
             nvps.add(Constants.PR_RA_ENABLED, Constants.TRUE);
         else
@@ -361,6 +436,17 @@
         else
             nvps.add(Constants.PR_VALIDITY, Constants.FALSE);
 
+        if (mEnableSerialNumberManagement.isSelected())
+            nvps.add(Constants.PR_SN_MANAGEMENT, Constants.TRUE);
+        else
+            nvps.add(Constants.PR_SN_MANAGEMENT, Constants.FALSE);
+
+        if (mEnableSerialNumberManagement.isSelected() &&
+            mEnableRandomSerialNumbers.isSelected())
+            nvps.add(Constants.PR_RANDOM_SN, Constants.TRUE);
+        else
+            nvps.add(Constants.PR_RANDOM_SN, Constants.FALSE);
+
         nvps.add(Constants.PR_DEFAULT_ALGORITHM, 
           (String)mAlgorithms.getSelectedItem());
 
Index: pki/base/console/src/com/netscape/certsrv/common/Constants.java
===================================================================
--- pki/base/console/src/com/netscape/certsrv/common/Constants.java	(revision 2521)
+++ pki/base/console/src/com/netscape/certsrv/common/Constants.java	(working copy)
@@ -343,10 +343,14 @@
      * Certificate Authority
      *========================================================*/
     public final static String PR_VALIDITY = "validity";
+    //public final static String PR_RANDOM_VALIDITY = "randomValidity";
+    //public final static String PR_RANDOM_VALIDITY_BITS = "randomValidityBits";
     public final static String PR_DEFAULT_ALGORITHM = "defaultSigningAlgorithm";
     public final static String PR_ALL_ALGORITHMS = "allSigningAlgorithms";
     public final static String PR_SERIAL = "startSerialNumber";
     public final static String PR_MAXSERIAL = "maxSerialNumber";
+    public final static String PR_SN_MANAGEMENT = "serialNumberManagement";
+    public final static String PR_RANDOM_SN = "randomSerialNumbers";
 
     /*========================================================
      * Access Control
