Bug 1461441
Summary: | Serial number does not fall in the range when serial number range and random serial number is enabled in the installation file | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Roshni <rpattath> |
Component: | pki-core | Assignee: | Jack Magne <jmagne> |
Status: | CLOSED NOTABUG | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.4 | CC: | arubin, mharmsen, msauton |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-28 21:49:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Roshni
2017-06-14 12:59:39 UTC
This issue, is possibly due to an error in the config file. The following may be the issue: pki_serial_number_range_start=50 pki_request_number_range_start=100 One setting is for the start of the serial number range and the other is for the start of the request number range. The endpoints of both those ranges will be defaulted to some large number. I tried the following on my box: pki_serial_number_range_start=3 pki_serial_number_range_end=20 For some reason the server appears to interpret the serial number range values as hex or base 16. Unfortunately, I haven't been able to determine how to input a direct hex value. What happens is it will accept and integer and it will be interpreted at hex. For instance our 20 will be considered 0x20, which is 32 in decimal. This would explain the following serial numbers generated for the system certs after ca installation: Notice they conform to the very skinny range of 3 to 32. This artificial small range is just to prove the server is getting the right values and doing the right things with them. 0x3 valid CN=CA Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0x4 valid CN=PKI Administrator,E=caadmin.com,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0x9 valid CN=CA OCSP Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0xd valid CN=CA Audit Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0x10 valid CN=Subsystem Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0x1d valid CN=dhcp-16-206.sjc.redhat.com,OU=pki-client-auth,O=sjc.redhat.com Security Domain After verification of this by QE I believe we can close this bug. QE agrees to close this for the reasons listed in the previous comment. |