Red Hat Bugzilla – Bug 1461441
Serial number does not fall in the range when serial number range and random serial number is enabled in the installation file
Last modified: 2017-08-28 17:49:49 EDT
Description of problem: Serial number does not fall in the range when serial number range and random serial number is enabled in the installation file Version-Release number of selected component (if applicable): pki-core-10.4.1-8.el7 How reproducible: always Steps to Reproduce: 1. pkispawn CA with the following installation file (I was attempting migration) [root@nocp1 ~]# cat rpattath/ca-migration.cfg [DEFAULT] pki_instance_name=pki-tomcat-ca-rpattath pki_user=pkiuser pki_group=pkiuser pki_audit_group=pkiaudit pki_https_port=30042 pki_http_port=30044 #NSS DB Token Password pki_hsm_enable=True pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so pki_hsm_modulename=nfast pki_token_name=NHSM6000-OCS pki_token_password= #Admin Password pki_admin_password= pki_client_pkcs12_password= pki_ds_ldap_port=1604 pki_ds_bind_dn=cn=Database Manager pki_ds_password= pki_ds_remove_data=True pki_existing=True pki_ds_secure_connection=True pki_ds_ldaps_port=1605 pki_ds_secure_connection_ca_pem_file=/tmp/ca_cert.pem [Tomcat] pki_ajp_port=30009 pki_tomcat_server_port=30005 [CA] pki_ca_signing_csr_path=/root/rpattath/ca_signing.csr pki_ca_signing_cert_path=/root/rpattath/ca_signing.crt pki_ca_signing_nickname=caSigningCert cert-pki-ca-rpattath pki_ca_signing_token=NHSM6000-OCS pki_pin= pki_ds_hostname=nocp1.idm.lab.eng.rdu2.redhat.com pki_ds_base_dn=dc=nocp9.idm.lab.eng.rdu2.redhat.com-pki-ca-rpattath pki_ds_database=nocp9.idm.lab.eng.rdu2.redhat.com-pki-ca-rpattath pki_serial_number_range_start=50 pki_request_number_range_start=100 pki_random_serial_numbers_enable=True pki_master_crl_enable=False pki_skip_installation=True 2. 3. Actual results: None of the serial numbers of system certs generated after pkispawn falls in the range specified Expected results: The random serial number must fall in the range specified Additional info:
This issue, is possibly due to an error in the config file. The following may be the issue: pki_serial_number_range_start=50 pki_request_number_range_start=100 One setting is for the start of the serial number range and the other is for the start of the request number range. The endpoints of both those ranges will be defaulted to some large number. I tried the following on my box: pki_serial_number_range_start=3 pki_serial_number_range_end=20 For some reason the server appears to interpret the serial number range values as hex or base 16. Unfortunately, I haven't been able to determine how to input a direct hex value. What happens is it will accept and integer and it will be interpreted at hex. For instance our 20 will be considered 0x20, which is 32 in decimal. This would explain the following serial numbers generated for the system certs after ca installation: Notice they conform to the very skinny range of 3 to 32. This artificial small range is just to prove the server is getting the right values and doing the right things with them. 0x3 valid CN=CA Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0x4 valid CN=PKI Administrator,E=caadmin@sjc.redhat.com,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0x9 valid CN=CA OCSP Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0xd valid CN=CA Audit Signing Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0x10 valid CN=Subsystem Certificate,OU=pki-client-auth,O=sjc.redhat.com Security Domain 0x1d valid CN=dhcp-16-206.sjc.redhat.com,OU=pki-client-auth,O=sjc.redhat.com Security Domain After verification of this by QE I believe we can close this bug.
QE agrees to close this for the reasons listed in the previous comment.