FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |

#2016 [RFE] Support random serial numbers in IPA certificates

Created 6 years ago by rcritten
Modified 8 months ago

Description of problem:
If re-installing an IPA server, the SSL cert for the IPA admin UI will get the
same serial number as before. Firefox will then refuse to connect to the site
with the error code sec_error_reused_issuer_and_serial

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. ipa-server-install --uninstall
2. ipa-server-install
3. Connect to ipa server using firefox

Additional info:

Maybe the certificate can be in some way tied to the time-stamp? That would be
an easy way of making it monotonically increasing.

There is a workaround:

- remove certificate exceptions and/or CA certificate (preferences/encryption/'view certificates')
- clear offline storage (preferences/advanced/network/'clear now')
- refresh page

- {{{chrome://settings/clearBrowserData }}}

Not planned for dogtag 10, moving to NEEDS_TRIAGE.

By default in IPA have random serial numbers, define starting serial number as an option.

The dogtag ticket for the installer option is

Moving unfinished March tickets to April milestone.

Ticket 323 was for the 8.1 version of these changes. For dogtag 10 these are the tickets to watch:

Currently in the 10.0.2 milestone.

Moving to next IPA MIlestone as this is not going to be ready in time for the beta.

This feature is just being ported to dogtag 10 now. There is no point in rushing this, pushing it to the next release.

We will need to pass an option to pkispawn to enable random serial numbers.

We will also need to decide if the serial numbers will be random in IPA by default or whether we will add an option to ipa-server-install.

AFAICT I just need to set pki_random_serial_numbers_enable to True in the config file when installing.

The code in dogtag doesn't seem quite ready yet, even to call it experimental in IPA. Moving the target forward a bit.

As per Nathan's comment, the underlying PKI feature is not ready yet for default enrollment in F19 - moving to NEEDS_TRIAGE to re-triage this ticket.

3.4 development was shifted for one month, moving tickets to reflect reality better.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

This was not completed in 4.0 time frame and is a too big change for such. Moving to next feature release.

Stretch goal of 4.2, this will likely not fit.

Moving to 4.3, we are too close to 4.2 deadline to be able to handle stretch RFEs.

A thought: when implemented, do we make random serial numbers the default,
or optional? What do users / customers expect?

My hunch is that they would expect sequential serial numbers (starting from 1)
to be the default. If so, this ticket gives minimal benefit w.r.t. the
"reissued issuer and serial" problem. Users still have to "know about" the
option to get the benefit, just like other existing workarounds e.g. --subject.


I do not think we can change the default, however as we add more and more of such options we can have something like a wrapper install script for a specific category of use cases. For example I expect that if we define a developer/test environment wrapper script this option would be probably on by default.

a year ago

Metadata Update from @rcritten:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.5 backlog

8 months ago

Metadata Update from @ftweedal:
- Assignee reset

Login to comment on this ticket.


Certificate management