dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
371 stars 137 forks source link

Check for minimum serial number range when using random serial numbers #2898

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #2778. Originally filed by mharmsen (@mharmsen) on 2017-07-06 20:47:32:


When using random serial numbers:

pki_random_serial_numbers_enable=True

the following default pki serial number range is specified in '/etc/pki/default.cfg':

pki_serial_number_range_start=1
pki_serial_number_range_end=10000000

However, if the admin overrides this range in their user-provided pkispawn configuration file, their specified range must consist of at least eight numbers (requiring four-bits), or installation will fail with a message such as:

. . .
pkispawn    : INFO     ....... configuring PKI configuration data.

Installation failed:
com.netscape.certsrv.base.PKIException: Error in setting certificate names and k
ey sizes: Range size is too small to support random certificate serial numbers.

Please check the CA logs in /var/log/pki/pki-tomcat/ca.

A side-effect of this error is that the un-configured pki server instance will remain running.

This ticket has been created to add a serial number range check into the python code of pkispawn when random serial numbers have been specified to prevent installation if an inadequate serial number range has been specified.

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-07-06 20:48:15

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-10-25 18:52:52

[20171025] - Offline Triage ==> 10.6

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-10-25 18:52:56

Metadata Update from @mharmsen: