Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2099672

Summary: Able to generate certificates of more than 128-bits with random serial numbers
Product: Red Hat Certificate System Reporter: Chandan Pinjani <cpinjani>
Component: jssAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED MIGRATED QA Contact: idm-cs-qe-bugs
Severity: unspecified Docs Contact:
Priority: low    
Version: ---CC: edewata, rcritten, skhandel
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: certsys-11.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-06-24 03:30:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chandan Pinjani 2022-06-21 13:12:33 UTC 
Description of problem:
Able to generate certificates of more than 128-bits with random serial numbers

Version-Release number of selected component (if applicable):
idm-pki-ca-11.2.0-0.4.beta3.el9.noarch

How reproducible:
Always

Steps to Reproduce:
1. Set below in ca pkispawn file
pki_cert_id_generator=random
pki_cert_id_length=1024

2. Install CA

Actual results:
Able to generate certificates of more than 128-bits with random serial numbers

[root@pki1 ~]# pki -p 20443 ca-cert-find
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org'
Trust this certificate (y/N)? y
---------------
6 entries found
---------------
  Serial Number: 0x4957b80614cbdf6195b405cf01e1d01b7fc3713b5c5eb78e19a79bcc972dcd8809f3401f53aba4b4e2b235ec8a715e3b4936a8c1cf7bc0796f4eb75a2ed670b1eceac299c25bb07ac9f7c200f4c07eb17fe4fc010201d817468a3eaa1ad40066cd85c537732332a9bbd4843e81ec1e4891926da675046c1474c85b4fb4882cf83
  Subject DN: CN=Subsystem Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Sat Jun 15 08:31:08 EDT 2024
  Not Valid After: Fri Jun 05 08:31:08 EDT 2026
  Issued On: Sat Jun 15 08:31:09 EDT 2024
  Issued By: system

  Serial Number: 0x4c3de2d97227d8c8672d1f68eb3b4b88f2d5293080cbe5ea8a8835dd77d0350080a0142aabf07113f0ee5ba4c4ae3e6c59b64ef703c9fb4027d7052ecfa290c4ea90eb168f33d716be51430a102a551f7a6dddda48c9034eb0a5e4f0d224a14271796879c7dadd8a6af44f3fcc723e6f35769545832e0a83f89cd2d06574ceb6b
  Subject DN: CN=PKI Administrator,E=caadmin,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Sat Jun 15 08:31:25 EDT 2024
  Not Valid After: Fri Jun 05 08:31:25 EDT 2026
  Issued On: Sat Jun 15 08:31:26 EDT 2024
  Issued By: system

  Serial Number: 0x32bb29410f14660c0a2e1b4afe45519ec9ce463ee01c23be71a8b8e6e2d4ca13867d01a538c279f872500e2d212c80b02fd0441b2a28199d8ae729635792875c6d569e136f5530c5aaf51e4d418013fd8c0bc43374650883c99efb80fe15014325e24d03a02908b61cbd69b1427dd3ef1904213a4fced54f2804481a92ec80fc9f
  Subject DN: CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Sat Jun 15 08:31:01 EDT 2024
  Not Valid After: Fri Jun 05 08:31:01 EDT 2026
  Issued On: Sat Jun 15 08:31:02 EDT 2024
  Issued By: system

  Serial Number: 0x32ddbbb6117e60b9b03c662fd109e7cb7355d033cf2e834193b1cf6b75792264520530268c9af112d77492ca432a5d78c3cc621de82a89f7136d8695e6fefbdbaf7007dcde4940774b84cd7b1bbf86b194fa9488a7ee9febaf0d7208ee6295291c45107315357ad0ea08b58dc69e1110a7852b089330e21c1748f3fde85ba9de58
  Subject DN: CN=CA Audit Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Sat Jun 15 08:31:15 EDT 2024
  Not Valid After: Fri Jun 05 08:31:15 EDT 2026
  Issued On: Sat Jun 15 08:31:16 EDT 2024
  Issued By: system

  Serial Number: 0x32deab2c356e2c4065f4291fa0be350f176fc479ba1b0dc63db89aa34302be61b05099469d6d3c00f6b2fa3a7179a2c64dcd1c01d4bfd432fd3f6518fa8b9aeba4937995b27a52001d7833add5b890c985788df45a7a93225f7c3ef0ea1b08cf001796a270fab2ca25e2b6cc42b0c5e7b1ead798106efd299ad7353caf9686d3c4
  Subject DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Sat Jun 15 08:30:48 EDT 2024
  Not Valid After: Wed Jun 15 08:30:48 EDT 2044
  Issued On: Sat Jun 15 08:30:49 EDT 2024
  Issued By: system

  Serial Number: 0x32e5fccc0bb10b16d4bdb3eaaa7f562c76b8fb719a940d2919e95d1212e023ed9cf0afcd3096871c3d5291bb12eb58adfb958d4954b880f0ef30d054917660a423ac53bfd208b5a21ed156700695e953bcea791a60f765faf34ad48ae3f0ce5a0c1e2be34557f651bd1e416e47c0b5ffbad282a86c3eca21e26ef87c01dce912fa
  Subject DN: CN=CA OCSP Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Sat Jun 15 08:30:55 EDT 2024
  Not Valid After: Fri Jun 05 08:30:55 EDT 2026
  Issued On: Sat Jun 15 08:30:56 EDT 2024
  Issued By: system
----------------------------
Number of entries returned 6
----------------------------


Expected results:
Certificates with 128 bits must be allowed.
Comment 5 RHEL Program Management 2025-06-24 03:29:01 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 6 RHEL Program Management 2025-06-24 03:30:25 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.