Installing CA with Random Serial Numbers v1 - dogtagpki/pki GitHub Wiki
This page describes the process to install a CA subsystem with Random Certificate Serial Numbers v1. Note that the certificate requests will still use sequential numbers.
To install CA with random certificate serial numbers v1, follow the normal CA installation procedure, then specify the following parameter:
[CA] pki_random_serial_numbers_enable=True
After installation the certificates will have random serial numbers, for example:
$ pki ca-cert-find --------------- 6 entries found --------------- Serial Number: 0x1fd1470 Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE ... Serial Number: 0x568fea3 Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE ... Serial Number: 0x6df4937 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE ... Serial Number: 0x7ca2e40 Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE ... Serial Number: 0xbd8b567 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE ... Serial Number: 0xc19799e Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE ... ---------------------------- Number of entries returned 6 ----------------------------
The certificate requests will still use sequential numbers:
$ pki -n caadmin ca-cert-request-find ----------------- 6 entries matched ----------------- Request ID: 0x1 ... Request ID: 0x2 ... Request ID: 0x3 ... Request ID: 0x4 ... Request ID: 0x5 ... Request ID: 0x6 ... ---------------------------- Number of entries returned 6 ----------------------------