Bug 747959 - [RFE] Support random serial numbers in IPA certificates
Summary: [RFE] Support random serial numbers in IPA certificates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: ipa
Version: 9.1
Hardware: Unspecified
OS: Unspecified
high
low
Target Milestone: rc
: 9.1
Assignee: Rob Crittenden
QA Contact: ipa-qe
Filip Hanzelka
URL:
Whiteboard:
: 1346993 (view as bug list)
Depends On: 1641804
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-21 13:58 UTC by David Juran
Modified: 2022-12-06 12:24 UTC (History)
26 users (show)

Fixed In Version: ipa-4.10.0-1.el9
Doc Type: Enhancement
Doc Text:
.IdM now supports Random Serial Numbers With this update, Identity Management (IdM) now includes `dogtagpki 11.2.0`, which allows you to use Random Serial Numbers version 3 (RSNv3). You can enable RSNv3 by using the `--random-serial-numbers` option when running `ipa-server-install` or `ipa-ca-install`. With RSNv3 enabled, IdM generates fully random serial numbers for certificates and requests in PKI without range management. Using RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM. IMPORTANT: RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 on all PKI services.
Clone Of:
Environment:
Last Closed: 2022-11-15 10:00:08 UTC
Type: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7015 0 None None None 2021-10-03 13:59:07 UTC
Red Hat Knowledge Base (Solution) 384303 0 None None None 2016-04-14 14:45:01 UTC
Red Hat Knowledge Base (Solution) 873193 0 None None None 2016-04-14 14:44:48 UTC
Red Hat Product Errata RHBA-2022:7988 0 None None None 2022-11-15 10:00:33 UTC

Description David Juran 2011-10-21 13:58:48 UTC
Description of problem:
If re-installing an IPA server, the SSL cert for the IPA admin UI will get the same serial number as before. Firefox will then refuse to connect to the site with the error code sec_error_reused_issuer_and_serial 

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4

How reproducible:
every time

Steps to Reproduce:
1. ipa-server-install --uninstall
2. ipa-server-install
3. Connect to ipa server using firefox
  
Additional info:

Maybe the certificate can be in some way tied to the time-stamp? That would be an easy way of making it monotonically increasing.

Comment 2 Rob Crittenden 2011-10-21 14:18:08 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2016

Comment 3 David Juran 2011-10-21 14:36:51 UTC
Workaround: http://adam.younglogic.com/2011/08/httpd-cert/

Comment 13 Petr Vobornik 2016-06-22 17:16:47 UTC
*** Bug 1346993 has been marked as a duplicate of this bug. ***

Comment 14 Petr Vobornik 2017-02-23 14:40:59 UTC
This change won't make 7.4. Fixing in 7.5 depends on upstream capacity.

Comment 19 Asha Akkiangady 2019-08-16 18:32:36 UTC
As stated in the RHCS 9.4 Common Criteria document, https://www.niap-ccevs.org/MMO/Product/st_10831-agd2.pdf

In addition to sequential serial number management, Red Hat Certificate System provides
optional random serial number management. Using random serial numbers is selectable at
CA instance installation time by adding a [CA] section to the PKI instance override file and
adding the following name=value pair under that section:

    [CA]
    pki_random_serial_numbers_enable=True

If selected, certificate request numbers and certificate serial numbers will be selected
randomly within the specified ranges.

Comment 25 Fraser Tweedale 2019-12-10 10:21:45 UTC
The proposal https://www.dogtagpki.org/wiki/Random_Certificate_Serial_Numbers_v2 is worth doing before the IPA effort.
Otherwise, to ensure there's enough entropy in the serial numbers we need to set both the range sizes and the
"low water mark" config waaay higher than their current default values.  I have a hunch that it will be less work to
implement the Dogtag proposal than to reliably and robustly set/manage those parts of the Dogtag configuration in FreeIPA.

In regard to Christian's particular comments, the range management happens the same way whether using random or sequential
serial numbers, so apart from the range size and low water mark config (which is important!) there is no new technical
debt incurred by merely "switching on" random serial number assignment via pki_random_serial_numbers_enable=True.

Comment 26 Christian Heimes 2019-12-10 12:20:23 UTC
The v2 proposal looks good. I have just one minor change request. Could you please make the replicaID two bytes wide? That would allow us to reuse "nsDS5ReplicaId" from "cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config" as a replica identifier. The value is an uint16_t in the range 0..65534 and guaranteed to be unique in a replication environment.

Comment 34 Florence Blanc-Renaud 2022-04-27 13:13:12 UTC
This BZ depends on PKI BZ #1641804 which is planned for RHEL 9. I'm updating the Product and release to align with PKI plans.

Comment 44 Sumedh Sidhaye 2022-08-04 08:36:51 UTC
Build used for verification: (using test nightly compose)

ipa-client-4.10.0-3.el9.x86_64
ipa-client-common-4.10.0-3.el9.noarch
ipa-common-4.10.0-3.el9.noarch
ipa-healthcheck-core-0.9-9.el9.noarch
ipa-selinux-4.10.0-3.el9.noarch
ipa-server-4.10.0-3.el9.x86_64
ipa-server-common-4.10.0-3.el9.noarch
ipa-server-dns-4.10.0-3.el9.noarch
ipa-server-trust-ad-4.10.0-3.el9.x86_64

2022-08-03T14:43:54+0000 ============================= test session starts ==============================
2022-08-03T14:43:54+0000 platform linux -- Python 3.9.13, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
2022-08-03T14:43:54+0000 cachedir: .pytest_cache
2022-08-03T14:43:54+0000 metadata: {'Python': '3.9.13', 'Platform': 'Linux-5.14.0-139.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '2.0.2', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.6.0'}}
2022-08-03T14:43:54+0000 rootdir: /tmp/wp/freeipa, inifile: tox.ini
2022-08-03T14:43:54+0000 plugins: metadata-2.0.2, html-1.22.1, multihost-3.0, sourceorder-0.6.0
2022-08-03T14:43:58+0000 collecting ... collected 4 items
2022-08-03T14:43:58+0000 
2022-08-03T15:00:37+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNVault::test_create_and_retrieve_vault_master <- ipatests/test_integration/test_vault.py PASSED [ 25%]
2022-08-03T15:01:34+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNVault::test_create_and_retrieve_vault_replica_without_kra <- ipatests/test_integration/test_vault.py PASSED [ 50%]
2022-08-03T15:02:32+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNVault::test_create_and_retrieve_shared_vault_replica_without_kra <- ipatests/test_integration/test_vault.py PASSED [ 75%]
2022-08-03T15:10:06+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNVault::test_create_and_retrieve_vault_replica_with_kra <- ipatests/test_integration/test_vault.py PASSED [100%]
2022-08-03T15:10:06+0000 
2022-08-03T15:10:06+0000 ------------------ generated xml file: /tmp/wp/twd/junit.xml -------------------
2022-08-03T15:10:06+0000 ------------- generated html file: file:///tmp/wp/twd/report.html --------------
2022-08-03T15:10:06+0000 ========================= 4 passed in 1571.83 seconds ==========================


============================= test session starts ==============================
platform linux -- Python 3.9.13, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.13', 'Platform': 'Linux-5.14.0-136.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 9 items

test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica0_ca_less_install PASSED [ 11%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica0_ipa_ca_install PASSED [ 22%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica0_ipa_kra_install PASSED [ 33%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica0_ipa_dns_install PASSED [ 44%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica1_with_ca_install PASSED [ 55%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica1_ipa_kra_install PASSED [ 66%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica1_ipa_dns_install PASSED [ 77%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica2_with_ca_kra_install PASSED [ 88%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_DNS1_RSN::test_replica2_ipa_dns_install PASSED [100%]

=============================== warnings summary ===============================


============================= test session starts ==============================
platform linux -- Python 3.9.13, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.13', 'Platform': 'Linux-5.14.0-136.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 9 items

test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica0_ca_less_install PASSED [ 11%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica0_ipa_ca_install PASSED [ 22%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica0_ipa_kra_install PASSED [ 33%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica0_ipa_dns_install PASSED [ 44%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica1_with_ca_install PASSED [ 55%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica1_ipa_kra_install PASSED [ 66%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica1_ipa_dns_install PASSED [ 77%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica2_with_ca_kra_install PASSED [ 88%]
test_integration/test_random_serial_numbers.py::TestInstallWithCA_KRA1_RSN::test_replica2_ipa_dns_install PASSED [100%]

=============================== warnings summary ===============================

============================= test session starts ==============================
platform linux -- Python 3.9.13, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.13', 'Platform': 'Linux-5.14.0-136.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 2 items

test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN::test_install_caless_server PASSED [ 50%]
test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN::test_server_ipa_ca_install_external PASSED [100%]

=============================== warnings summary ===============================

============================= test session starts ==============================
platform linux -- Python 3.9.13, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.13', 'Platform': 'Linux-5.14.0-139.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 37 items

test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_aes_sha_kerberos_enctypes PASSED [  2%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certmap_match_issue7520 PASSED [  5%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_cert_find_issue7520 PASSED [  8%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_add_permission_failure_issue5923 PASSED [ 10%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_change_sysaccount_password_issue7561 PASSED [ 13%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ldapmodify_password_issue7601 PASSED [ 16%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_change_sysaccount_pwd_history_issue7181 PASSED [ 18%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_change_user_pwd_history_issue7181 PASSED [ 21%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_dm_change_user_pwd_history_issue7181 PASSED [ 24%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_huge_password PASSED [ 27%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_cleartext_password_httpd_log PASSED [ 29%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_change_selinuxusermaporder PASSED [ 32%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ipa_console PASSED [ 35%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_list_help_topics PASSED [ 37%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ssh_key_connection FAILED [ 40%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ssh_leak FAILED [ 43%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certificate_out_write_to_file PASSED [ 45%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_sssd_ifp_access_ipaapi PASSED [ 48%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ipa_cacert_manage_install PASSED [ 51%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_hbac_systemd_user PASSED [ 54%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_config_show_configured_services PASSED [ 56%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ssh_from_controller PASSED [ 59%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_user_mod_change_capitalization_issue5879 PASSED [ 62%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_enabled_tls_protocols PASSED [ 64%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_sss_ssh_authorizedkeys PASSED [ 67%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_cacert_manage PASSED [ 70%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ipa_adtrust_install_with_locale_issue8066 PASSED [ 72%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_login_wrong_password PASSED [ 75%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ipa_nis_manage_enable PASSED [ 78%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ipa_nis_manage_disable PASSED [ 81%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ipa_nis_manage_enable_incorrect_password PASSED [ 83%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_pkispawn_log_is_present PASSED [ 86%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_reset_password_unlock PASSED [ 89%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_certupdate_no_schema PASSED [ 91%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_proxycommand_invalid_shell PASSED [ 94%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ipa_cacert_manage_prune PASSED [ 97%]
test_integration/test_random_serial_numbers.py::TestIPACommand_RSN::test_ipa_getkeytab_server PASSED [100%]

=================================== FAILURES ===================================


2022-08-04T06:59:14+0000 ============================= test session starts ==============================
2022-08-04T06:59:14+0000 platform linux -- Python 3.9.13, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
2022-08-04T06:59:14+0000 cachedir: .pytest_cache
2022-08-04T06:59:14+0000 metadata: {'Python': '3.9.13', 'Platform': 'Linux-5.14.0-139.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '2.0.2', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.6.0'}}
2022-08-04T06:59:14+0000 rootdir: /tmp/wp/freeipa, inifile: tox.ini
2022-08-04T06:59:14+0000 plugins: metadata-2.0.2, html-1.22.1, multihost-3.0, sourceorder-0.6.0
2022-08-04T06:59:17+0000 collecting ... collected 11 items
2022-08-04T06:59:17+0000 
2022-08-04T07:26:41+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica0_ca_less_install <- ipatests/test_integration/test_installation.py PASSED [  9%]
2022-08-04T07:30:21+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica0_ipa_ca_install <- ipatests/test_integration/test_installation.py PASSED [ 18%]
2022-08-04T07:32:55+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica0_ipa_kra_install <- ipatests/test_integration/test_installation.py PASSED [ 27%]
2022-08-04T07:34:00+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica0_ipa_dns_install <- ipatests/test_integration/test_installation.py PASSED [ 36%]
2022-08-04T07:50:50+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica1_with_ca_install <- ipatests/test_integration/test_installation.py PASSED [ 45%]
2022-08-04T07:54:00+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica1_ipa_kra_install <- ipatests/test_integration/test_installation.py PASSED [ 54%]
2022-08-04T07:54:30+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica1_ipa_dns_install <- ipatests/test_integration/test_installation.py PASSED [ 63%]
2022-08-04T08:13:35+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica2_with_ca_kra_install <- ipatests/test_integration/test_installation.py PASSED [ 72%]
2022-08-04T08:14:10+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_replica2_ipa_dns_install <- ipatests/test_integration/test_installation.py PASSED [ 81%]
2022-08-04T08:14:25+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_check_pki_config PASSED [ 90%]
2022-08-04T08:25:35+0000 ipatests/test_integration/test_random_serial_numbers.py::TestRSNPKIConfig::test_check_rsn_version PASSED [100%]
2022-08-04T08:25:35+0000 
2022-08-04T08:25:35+0000 ------------------ generated xml file: /tmp/wp/twd/junit.xml -------------------
2022-08-04T08:25:35+0000 ------------- generated html file: file:///tmp/wp/twd/report.html --------------
2022-08-04T08:25:35+0000 ========================= 11 passed in 5180.61 seconds =========================

Comment 46 Rob Crittenden 2022-08-04 17:29:35 UTC
Additional tests
Fixed upstream
master:
https://pagure.io/freeipa/c/6033d495d19976708d3ff870523c4c2b9563dfd6

Comment 47 Florence Blanc-Renaud 2022-08-10 16:09:10 UTC
Additional tests
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/bfe074ed478c20a9537dc2a714bba50dbc2cd34f

Comment 50 errata-xmlrpc 2022-11-15 10:00:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7988


Note You need to log in before you can comment on or make changes to this bug.