#2016 [RFE] Support random serial numbers in IPA certificates
Closed: fixed 3 months ago by frenaud. Opened 10 years ago by rcritten.


Description of problem:
If re-installing an IPA server, the SSL cert for the IPA admin UI will get the
same serial number as before. Firefox will then refuse to connect to the site
with the error code sec_error_reused_issuer_and_serial

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. ipa-server-install --uninstall
2. ipa-server-install
3. Connect to ipa server using firefox

Additional info:

Maybe the certificate can be in some way tied to the time-stamp? That would be
an easy way of making it monotonically increasing.

There is a workaround:

- remove certificate exceptions and/or CA certificate (preferences/encryption/'view certificates')
- clear offline storage (preferences/advanced/network/'clear now')
- refresh page

- {{{chrome://settings/clearBrowserData }}}

Not planned for dogtag 10, moving to NEEDS_TRIAGE.

By default in IPA have random serial numbers, define starting serial number as an option.

Moving unfinished March tickets to April milestone.

Ticket 323 was for the 8.1 version of these changes. For dogtag 10 these are the tickets to watch:


Currently in the 10.0.2 milestone.

Moving to next IPA MIlestone as this is not going to be ready in time for the beta.

This feature is just being ported to dogtag 10 now. There is no point in rushing this, pushing it to the next release.

We will need to pass an option to pkispawn to enable random serial numbers.

We will also need to decide if the serial numbers will be random in IPA by default or whether we will add an option to ipa-server-install.

AFAICT I just need to set pki_random_serial_numbers_enable to True in the config file when installing.

The code in dogtag doesn't seem quite ready yet, even to call it experimental in IPA. Moving the target forward a bit.

As per Nathan's comment, the underlying PKI feature is not ready yet for default enrollment in F19 - moving to NEEDS_TRIAGE to re-triage this ticket.

3.4 development was shifted for one month, moving tickets to reflect reality better.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

This was not completed in 4.0 time frame and is a too big change for such. Moving to next feature release.

Stretch goal of 4.2, this will likely not fit.

Moving to 4.3, we are too close to 4.2 deadline to be able to handle stretch RFEs.

A thought: when implemented, do we make random serial numbers the default,
or optional? What do users / customers expect?

My hunch is that they would expect sequential serial numbers (starting from 1)
to be the default. If so, this ticket gives minimal benefit w.r.t. the
"reissued issuer and serial" problem. Users still have to "know about" the
option to get the benefit, just like other existing workarounds e.g. --subject.


I do not think we can change the default, however as we add more and more of such options we can have something like a wrapper install script for a specific category of use cases. For example I expect that if we define a developer/test environment wrapper script this option would be probably on by default.

Metadata Update from @rcritten:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.5 backlog

5 years ago

Metadata Update from @ftweedal:
- Assignee reset

4 years ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

4 months ago

Metadata Update from @rcritten:
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)

4 months ago


  • d348144 doc/designs: add Random Serial Numbers v3 support
  • 83be923 Add a new parameter type, SerialNumber, as a subclass of Str
  • beaa056 Add support for Random Serial Numbers v3
  • d241d74 Add tests for Random Serial Number v3 support

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 months ago


  • 6033d49 Additional tests for RSN v3


  • bfe074e Additional tests for RSN v3

Login to comment on this ticket.