Bug 747959 - [RFE] Support random serial numbers in IPA certificates
Summary: [RFE] Support random serial numbers in IPA certificates
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.2
Assignee: IPA Maintainers
QA Contact: ipa-qe
: 1346993 (view as bug list)
Depends On: 1641804
TreeView+ depends on / blocked
Reported: 2011-10-21 13:58 UTC by David Juran
Modified: 2021-11-02 12:20 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed:
Type: ---
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7015 0 None None None 2021-10-03 13:59:07 UTC
Red Hat Knowledge Base (Solution) 384303 0 None None None 2016-04-14 14:45:01 UTC
Red Hat Knowledge Base (Solution) 873193 0 None None None 2016-04-14 14:44:48 UTC

Description David Juran 2011-10-21 13:58:48 UTC
Description of problem:
If re-installing an IPA server, the SSL cert for the IPA admin UI will get the same serial number as before. Firefox will then refuse to connect to the site with the error code sec_error_reused_issuer_and_serial 

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. ipa-server-install --uninstall
2. ipa-server-install
3. Connect to ipa server using firefox
Additional info:

Maybe the certificate can be in some way tied to the time-stamp? That would be an easy way of making it monotonically increasing.

Comment 2 Rob Crittenden 2011-10-21 14:18:08 UTC
Upstream ticket:

Comment 3 David Juran 2011-10-21 14:36:51 UTC
Workaround: http://adam.younglogic.com/2011/08/httpd-cert/

Comment 13 Petr Vobornik 2016-06-22 17:16:47 UTC
*** Bug 1346993 has been marked as a duplicate of this bug. ***

Comment 14 Petr Vobornik 2017-02-23 14:40:59 UTC
This change won't make 7.4. Fixing in 7.5 depends on upstream capacity.

Comment 19 Asha Akkiangady 2019-08-16 18:32:36 UTC
As stated in the RHCS 9.4 Common Criteria document, https://www.niap-ccevs.org/MMO/Product/st_10831-agd2.pdf

In addition to sequential serial number management, Red Hat Certificate System provides
optional random serial number management. Using random serial numbers is selectable at
CA instance installation time by adding a [CA] section to the PKI instance override file and
adding the following name=value pair under that section:


If selected, certificate request numbers and certificate serial numbers will be selected
randomly within the specified ranges.

Comment 25 Fraser Tweedale 2019-12-10 10:21:45 UTC
The proposal https://www.dogtagpki.org/wiki/Random_Certificate_Serial_Numbers_v2 is worth doing before the IPA effort.
Otherwise, to ensure there's enough entropy in the serial numbers we need to set both the range sizes and the
"low water mark" config waaay higher than their current default values.  I have a hunch that it will be less work to
implement the Dogtag proposal than to reliably and robustly set/manage those parts of the Dogtag configuration in FreeIPA.

In regard to Christian's particular comments, the range management happens the same way whether using random or sequential
serial numbers, so apart from the range size and low water mark config (which is important!) there is no new technical
debt incurred by merely "switching on" random serial number assignment via pki_random_serial_numbers_enable=True.

Comment 26 Christian Heimes 2019-12-10 12:20:23 UTC
The v2 proposal looks good. I have just one minor change request. Could you please make the replicaID two bytes wide? That would allow us to reuse "nsDS5ReplicaId" from "cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config" as a replica identifier. The value is an uint16_t in the range 0..65534 and guaranteed to be unique in a replication environment.

Note You need to log in before you can comment on or make changes to this bug.