Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 747959

Summary: [RFE] Support random serial numbers in IPA certificates
Product: Red Hat Enterprise Linux 7 Reporter: David Juran <djuran>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: ASSIGNED --- QA Contact: Namita Soman <nsoman>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: awyatt, bscalio, j.becker, jgalipea, jlyle, mkosek, mtessun, nsoman, pasik, pvoborni
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Juran 2011-10-21 09:58:48 EDT
Description of problem:
If re-installing an IPA server, the SSL cert for the IPA admin UI will get the same serial number as before. Firefox will then refuse to connect to the site with the error code sec_error_reused_issuer_and_serial 

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. ipa-server-install --uninstall
2. ipa-server-install
3. Connect to ipa server using firefox
Additional info:

Maybe the certificate can be in some way tied to the time-stamp? That would be an easy way of making it monotonically increasing.
Comment 2 Rob Crittenden 2011-10-21 10:18:08 EDT
Upstream ticket:
Comment 3 David Juran 2011-10-21 10:36:51 EDT
Workaround: http://adam.younglogic.com/2011/08/httpd-cert/
Comment 13 Petr Vobornik 2016-06-22 13:16:47 EDT
*** Bug 1346993 has been marked as a duplicate of this bug. ***
Comment 14 Petr Vobornik 2017-02-23 09:40:59 EST
This change won't make 7.4. Fixing in 7.5 depends on upstream capacity.