Configuring KRA with Random Serial Numbers v3 - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to switch the ID generators in an existing KRA from the legacy Sequential Serial Numbers to Random Serial Numbers v3.

Warning
Switching back from Random Serial Numbers v3 to the legacy Sequential Serial Numbers is currently not supported.

In a cluster environment it’s recommended to perform the switch in two steps:

  • Upgrade all servers one-by-one to PKI 11.2 or later.

  • Switch all servers one-by-one to Random Serial Numbers v3.

The Random Serial Numbers v3 has not been designed or tested to work with the legacy Sequential Serial Numbers or Random Serial Numbers v1, so it’s not recommended to maintain a mixed configuration within a cluster for a long time.

Configuration Process

Stopping PKI Server

First, stop PKI server:

$ pki-server stop --wait

Backing Up PKI Server

It is highly recommended to back up PKI server and DS in case it’s necessary to use the original ID generators.

Configuring Key Request ID Generator

Disable the legacy ID generator for key requests:

$ pki-server kra-config-unset dbs.beginRequestNumber
$ pki-server kra-config-unset dbs.endRequestNumber
$ pki-server kra-config-unset dbs.requestIncrement
$ pki-server kra-config-unset dbs.requestLowWaterMark
$ pki-server kra-config-unset dbs.requestCloneTransferNumber
$ pki-server kra-config-unset dbs.requestRangeDN

Enable the RSNv3 ID generator for key requests:

$ pki-server kra-config-set dbs.request.id.generator random
$ pki-server kra-config-set dbs.request.id.length 128

Configuring Key ID Generator

Disable the legacy ID generator for keys:

$ pki-server kra-config-unset dbs.beginSerialNumber
$ pki-server kra-config-unset dbs.endSerialNumber
$ pki-server kra-config-unset dbs.serialIncrement
$ pki-server kra-config-unset dbs.serialLowWaterMark
$ pki-server kra-config-unset dbs.serialCloneTransferNumber
$ pki-server kra-config-unset dbs.serialRangeDN

Enable the RSNv3 ID generator for keys:

$ pki-server kra-config-set dbs.key.id.generator random
$ pki-server kra-config-set dbs.key.id.length 128

Restarting PKI Server

Finally, restart PKI server:

$ pki-server start --wait

Recovery

Warning
The recovery procedure has not been fully tested.

In case it’s necessary to use the original ID generators, use the following procedure to recover:

  • Stop PKI server.

  • Restore the CS.cfg from the backup.

  • Remove new key records created with with RSNv3 from DS.

  • Remove new key request records created with RSNv3 from DS.

  • Restart PKI server

If the above procedure does not work, restore PKI server and DS from the backup.

⚠️ **GitHub.com Fallback** ⚠️