[Freeipa-devel] Random Certificate Serial Numbers

[Ade Lee]

On Mon, 2014-04-07 at 09:48 +0200, Martin Kosek wrote:
> Hi Rob, Ade and others,
> 
> In the past, Rob was investigating enabling random certificate serial numbers
> for FreeIPA PKI [1].  We also have a ticket [2] planned to enable it for 4.0.
> Can we simply switch it on for PKI with pkispawn attribute:
> 
> [CA]
> pki_random_serial_numbers_enable=True
> 
Putting in this parameter in pkispawn means changing the method of
assigning serial numbers for the CA that is being installed (ie. a new
master)

Thus this will affect new masters only.  When the CA is cloned, it will
inherit its method of assigning serial numbers from the master.

I need to check the code to see what happens if you specify the above
directive in pkispawn for a clone.

Are you considering changing the serial number assignment for existing
masters?

> or is there any drawback or risk we should investigate. I am just thinking,
> does PKI handle collisions anyhow? When for example two PKI masters generate 2
> certificates of the same serial (unlikely though it could happen)?
> 
Collisions are not supposed to happen.  Range number assignment is
automatically managed so that different masters are assigned different
ranges so that collisions cannot happen.

Collisions can occur if ranges overlap -- ie. if you are
manually updating ranges and end up using overlapping ranges.

> Currently, we assign different slice of serial range to different PKI masters,
> do we want to do that also for random serial?
> 

Yes.  Range management is done automatically.  Different masters are
assigned different ranges to prevent collisions.  Random serial numbers
will be generated within the assigned range.

> Thanks for info
> 
> [1] http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers
> [2] https://fedorahosted.org/freeipa/ticket/2016
>