Bug 430034

Summary: Cert serial numbers need to be correctly generated for more than 2 masters
Product: [Retired] freeIPA Reporter: Chandrasekar Kannan <ckannan>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.0CC: benl, mgregg, rcritten, ssorce, yzhang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 07:13:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 431493    
Bug Blocks: 246164, 429034    

Description Chandrasekar Kannan 2008-01-24 07:15:50 UTC 
Ticket #170 (new defect)

Opened 1 month ago
Cert serial numbers need to be correctly generated for more than 2 masters
Reported by: 	kmacmill 	Assigned to: 	kmacmill
Priority: 	major 	Milestone: 	release-1
Component: 	ipa-server 	Version: 	
Keywords: 		Cc: 	
Description ΒΆ

We need to store the last used certificate serial number somehow so that more than 2 replicas are setup with correctly generated certs. We could potentially leverage the starting numbers for dna.
Comment 3 Rob Crittenden 2008-02-05 16:05:51 UTC 
This will be fixed in the patch for bug 431493.

All certificates will be generated on the master and sent to each replica.
Comment 4 Rob Crittenden 2008-02-05 18:54:19 UTC 
committed in changeset 621
Comment 5 Yi Zhang 2008-04-09 00:37:50 UTC 
qa verified, bug closed
build used: 4-8-2008 daily build

The following cmd performed to verify the certs:

on ipa master: 
ipaserver-wrong[04/08/08 17:01] certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ -n
"Server-Cert" | grep "Serial"
        Serial Number: 1001 (0x3e9)
ipaserver-wrong[04/08/08 17:02] certutil -L -d /etc/httpd/alias/ -n
"Server-Cert" | grep "Serial"
        Serial Number: 1002 (0x3ea)
ipaserver-wrong[04/08/08 17:02] certutil -L -d /etc/httpd/alias/ -n
"Signing-Cert" | grep Serial

on replica server
[root@replica64-1 alias]# certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ -n
"Server-Cert" | grep "Serial"
        Serial Number: 1004 (0x3ec)
[root@replica64-1 alias]# certutil -L -d /etc/httpd/alias/ -n "Server-Cert" |
grep "Serial"
        Serial Number: 1005 (0x3ed)