Bug 747959

Summary: [RFE] Support random serial numbers in IPA certificates
Product: Red Hat Enterprise Linux 8 Reporter: David Juran <djuran>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: ASSIGNED --- QA Contact: Namita Soman <nsoman>
Severity: low Docs Contact:
Priority: low    
Version: 8.0CC: awyatt, bscalio, dpal, j.becker, jgalipea, jlyle, mkosek, mtessun, nsoman, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Juran 2011-10-21 13:58:48 UTC
Description of problem:
If re-installing an IPA server, the SSL cert for the IPA admin UI will get the same serial number as before. Firefox will then refuse to connect to the site with the error code sec_error_reused_issuer_and_serial 

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. ipa-server-install --uninstall
2. ipa-server-install
3. Connect to ipa server using firefox
Additional info:

Maybe the certificate can be in some way tied to the time-stamp? That would be an easy way of making it monotonically increasing.

Comment 2 Rob Crittenden 2011-10-21 14:18:08 UTC
Upstream ticket:

Comment 3 David Juran 2011-10-21 14:36:51 UTC
Workaround: http://adam.younglogic.com/2011/08/httpd-cert/

Comment 13 Petr Vobornik 2016-06-22 17:16:47 UTC
*** Bug 1346993 has been marked as a duplicate of this bug. ***

Comment 14 Petr Vobornik 2017-02-23 14:40:59 UTC
This change won't make 7.4. Fixing in 7.5 depends on upstream capacity.