search

pki-bot / pki-issues-final

0 stars 0 forks source link

Check for minimum serial number range when using random serial numbers #2327

Open pki-bot opened 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #2778. Originally filed by mharmsen (@mharmsen) on 2017-07-06 20:47:32:

When using random serial numbers:

pki_random_serial_numbers_enable=True

the following default pki serial number range is specified in '/etc/pki/default.cfg':

pki_serial_number_range_start=1
pki_serial_number_range_end=10000000

However, if the admin overrides this range in their user-provided pkispawn configuration file, their specified range must consist of at least eight numbers (requiring four-bits), or installation will fail with a message such as:

. . .
pkispawn    : INFO     ....... configuring PKI configuration data.

Installation failed:
com.netscape.certsrv.base.PKIException: Error in setting certificate names and k
ey sizes: Range size is too small to support random certificate serial numbers.

Please check the CA logs in /var/log/pki/pki-tomcat/ca.

A side-effect of this error is that the un-configured pki server instance will remain running.

This ticket has been created to add a serial number range check into the python code of pkispawn when random serial numbers have been specified to prevent installation if an inadequate serial number range has been specified.

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-07-06 20:48:15

Metadata Update from @mharmsen:

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-10-25 18:52:52

[20171025] - Offline Triage ==> 10.6

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2017-10-25 18:52:56

Metadata Update from @mharmsen: