Configuring CA with Random Serial Numbers v3 - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to switch the ID generators in an existing CA from the legacy Sequential Serial Numbers or Random Serial Numbers v1 to Random Serial Numbers v3.

Warning
Switching back from Random Serial Numbers v3 to the legacy Sequential Serial Numbers or Random Serial Numbers v1 is currently not supported.

In a cluster environment it’s recommended to perform the switch in two steps:

  • Upgrade all servers one-by-one to PKI 11.2 or later.

  • Switch all servers one-by-one to Random Serial Numbers v3.

The Random Serial Numbers v3 has not been designed or tested to work with the legacy Sequential Serial Numbers or Random Serial Numbers v1, so it’s not recommended to maintain a mixed configuration within a cluster for a long time.

Configuration Process

Stopping PKI Server

First, stop PKI server:

$ pki-server stop --wait

Backing Up PKI Server

It is highly recommended to back up PKI server and DS in case it’s necessary to use the original ID generators.

Configuring Certificate Request ID Generator

Disable the legacy ID generator for certificate requests:

$ pki-server ca-config-unset dbs.beginRequestNumber
$ pki-server ca-config-unset dbs.endRequestNumber
$ pki-server ca-config-unset dbs.requestIncrement
$ pki-server ca-config-unset dbs.requestLowWaterMark
$ pki-server ca-config-unset dbs.requestCloneTransferNumber
$ pki-server ca-config-unset dbs.requestRangeDN

Enable the RSNv3 ID generator for certificate requests:

$ pki-server ca-config-set dbs.request.id.generator random
$ pki-server ca-config-set dbs.request.id.length 128

Configuring Certificate ID Generator

Disable the legacy ID generator for certificates:

$ pki-server ca-config-unset dbs.beginSerialNumber
$ pki-server ca-config-unset dbs.endSerialNumber
$ pki-server ca-config-unset dbs.serialIncrement
$ pki-server ca-config-unset dbs.serialLowWaterMark
$ pki-server ca-config-unset dbs.serialCloneTransferNumber
$ pki-server ca-config-unset dbs.serialRangeDN
$ pki-server ca-config-unset dbs.enableRandomSerialNumbers
$ pki-server ca-config-unset dbs.randomSerialNumberCounter

Enable the RSNv3 ID generator for certificates:

$ pki-server ca-config-set dbs.cert.id.generator random
$ pki-server ca-config-set dbs.cert.id.length 128

Restarting PKI Server

Finally, restart PKI server:

$ pki-server start --wait

Recovery

Warning
The recovery procedure has not been fully tested.

In case it’s necessary to use the original ID generators, use the following procedure to recover:

  • Stop PKI server.

  • Restore the CS.cfg from the backup.

  • Remove new certificates created with RSNv3 from user records in DS.

  • Remove new certificate records created with with RSNv3 from DS.

  • Remove new certificate request records created with RSNv3 from DS.

  • Restart PKI server

  • Revoke new certificates created with with RSNv3.

If the above procedure does not work, restore PKI server and DS from the backup.

⚠️ **GitHub.com Fallback** ⚠️