Configuring KRA with Random Serial Numbers v3 - dogtagpki/pki GitHub Wiki
This page describes the process to switch the ID generators in an existing KRA from the legacy Sequential Serial Numbers to Random Serial Numbers v3.
Warning
|
Switching back from Random Serial Numbers v3 to the legacy Sequential Serial Numbers is currently not supported. |
In a cluster environment it’s recommended to perform the switch in two steps:
-
Upgrade all servers one-by-one to PKI 11.2 or later.
-
Switch all servers one-by-one to Random Serial Numbers v3.
The Random Serial Numbers v3 has not been designed or tested to work with the legacy Sequential Serial Numbers or Random Serial Numbers v1, so it’s not recommended to maintain a mixed configuration within a cluster for a long time.
It is highly recommended to back up PKI server and DS in case it’s necessary to use the original ID generators.
Disable the legacy ID generator for key requests:
$ pki-server kra-config-unset dbs.beginRequestNumber $ pki-server kra-config-unset dbs.endRequestNumber $ pki-server kra-config-unset dbs.requestIncrement $ pki-server kra-config-unset dbs.requestLowWaterMark $ pki-server kra-config-unset dbs.requestCloneTransferNumber $ pki-server kra-config-unset dbs.requestRangeDN
Enable the RSNv3 ID generator for key requests:
$ pki-server kra-config-set dbs.request.id.generator random $ pki-server kra-config-set dbs.request.id.length 128
Disable the legacy ID generator for keys:
$ pki-server kra-config-unset dbs.beginSerialNumber $ pki-server kra-config-unset dbs.endSerialNumber $ pki-server kra-config-unset dbs.serialIncrement $ pki-server kra-config-unset dbs.serialLowWaterMark $ pki-server kra-config-unset dbs.serialCloneTransferNumber $ pki-server kra-config-unset dbs.serialRangeDN
Enable the RSNv3 ID generator for keys:
$ pki-server kra-config-set dbs.key.id.generator random $ pki-server kra-config-set dbs.key.id.length 128
Warning
|
The recovery procedure has not been fully tested. |
In case it’s necessary to use the original ID generators, use the following procedure to recover:
-
Stop PKI server.
-
Restore the
CS.cfg
from the backup. -
Remove new key records created with with RSNv3 from DS.
-
Remove new key request records created with RSNv3 from DS.
-
Restart PKI server
If the above procedure does not work, restore PKI server and DS from the backup.