Sequential Serial Numbers v2 - dogtagpki/pki GitHub Wiki

Overview

The Sequential Serial Numbers v2 (SSNv2) is provided to fix the Incorrect Parameter Parsing and Range Gap issues in SSNv1. It works exactly like SSNv1 but some configuration parameters will be slightly different.

The way SSNv2 works is mainly described in Random Serial Numbers v1.

Notes:

  • SSNv2 is only supported for requests and certificates in CA.

  • SSNv2 is not supported for random serial numbers using dbs.enableRandomSerialNumbers=true (RSNv1) in CA. Use CA with Random Serial Numbers v3 instead.

  • SSNv2 is not supported for requests and keys in KRA. Use KRA with Random Serial Numbers v3 instead.

Current Range

For request IDs, the current range is stored in the following parameters in CS.cfg:

  • dbs.beginRequestNumber=<value>

  • dbs.endRequestNumber=<value>

  • dbs.requestCloneTransferNumber=<value>

  • dbs.requestIncrement=<value>

  • dbs.requestLowWaterMark=<value>

For certificate serial numbers, the current range is stored in the following parameters in CS.cfg:

  • dbs.beginSerialNumber=<value>

  • dbs.endSerialNumber=<value>

  • dbs.serialCloneTransferNumber=<value>

  • dbs.serialIncrement=<value>

  • dbs.serialLowWaterMark=<value>

The parameters are the same as in SSNv1 but the value can be in decimal or hexadecimal with 0x prefix.

Allocated Range

For request IDs, the allocated ranges are stored as entries under ou=requests,ou=ranges_v2,dc=ca,dc=pki,dc=example,dc=com, for example:

dn: cn=11,ou=requests,ou=ranges_v2,dc=ca,dc=pki,dc=example,dc=com
objectClass: top
objectClass: pkiRange
beginRange: 11
endRange: 20
cn: 11
host: pki.example.com
SecurePort: 8443

For certificate serial numbers, the allocated ranges are stored as entries under ou=certificateRepository,ou=ranges_v2,dc=ca,dc=pki,dc=example,dc=com.

dn: cn=19,ou=certificateRepository,ou=ranges_v2,dc=ca,dc=pki,dc=example,dc=com
objectClass: top
objectClass: pkiRange
beginRange: 19
endRange: 36
cn: 19
host: pki.example.com
SecurePort: 8443

Next Range

For request IDs, the next range is stored in the nextRange attribute in ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com as decimal.

For certificate serial numbers, the next range is stored in the nextRange attribute in ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com as decimal too (not hexadecimal).

Range Progression

For example, suppose a CA is configured with the following range:

  • size: 18 (0x12)

  • increment: 18 (0x12)

  • minimum: 9 (0x9)

The range progression will look like the following:

Event Current Range Current Size Allocated Range Allocated Size Next Range

Initial range

1 - 18 (0x1 - 0x12)

18

19 (0x13)

Range allocation

1 - 18 (0x1 - 0x12)

18

19 - 36 (0x13 - 0x24)

18

37 (0x25)

Range switch

19 - 36 (0x13 - 0x24)

18

19 - 36 (0x13 - 0x24)

18

37 (0x25)

Range allocation

19 - 36 (0x13 - 0x24)

18

37 - 54 (0x25 - 0x36)

18

55 (0x37)

Range switch

37 - 54 (0x25 - 0x36)

18

37 - 54 (0x25 - 0x36)

18

55 (0x37)

Issues

The SSNv2 only fixes the Incorrect Parameter Parsing and Range Gap issues in SSNv1. All other issues in SSNv1 still exist in SSNv2.

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️