-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring CA with Random Serial Numbers v3
This page describes the process to switch the ID generators in an existing CA from the legacy Sequential Serial Numbers or Random Serial Numbers v1 to Random Serial Numbers v3.
|
Warning
|
Switching back from Random Serial Numbers v3 to the legacy Sequential Serial Numbers or Random Serial Numbers v1 is not supported. |
In a cluster environment it’s recommended to perform the switch in two steps:
-
Upgrade all servers one-by-one to PKI 11.2 or later.
-
Switch all servers one-by-one to Random Serial Numbers v3.
The Random Serial Numbers v3 has not been designed or tested to work with the legacy Sequential Serial Numbers or Random Serial Numbers v1, so it’s not recommended to maintain a mixed configuration within a cluster for a long time.
It is advised to back up PKI server so that it can be restored if necessary. See Backing Up PKI Server.
Disable the legacy ID generator for certificate requests:
$ pki-server ca-config-unset dbs.beginRequestNumber $ pki-server ca-config-unset dbs.endRequestNumber $ pki-server ca-config-unset dbs.requestIncrement $ pki-server ca-config-unset dbs.requestLowWaterMark $ pki-server ca-config-unset dbs.requestCloneTransferNumber $ pki-server ca-config-unset dbs.requestRangeDN
Enable the RSNv3 ID generator for certificate requests:
$ pki-server ca-config-set dbs.request.id.generator random $ pki-server ca-config-set dbs.request.id.length 128
Disable the legacy ID generator for certificates:
$ pki-server ca-config-unset dbs.beginSerialNumber $ pki-server ca-config-unset dbs.endSerialNumber $ pki-server ca-config-unset dbs.serialIncrement $ pki-server ca-config-unset dbs.serialLowWaterMark $ pki-server ca-config-unset dbs.serialCloneTransferNumber $ pki-server ca-config-unset dbs.serialRangeDN $ pki-server ca-config-unset dbs.enableRandomSerialNumbers $ pki-server ca-config-unset dbs.randomSerialNumberCounter
Enable the RSNv3 ID generator for certificates:
$ pki-server ca-config-set dbs.cert.id.generator random $ pki-server ca-config-set dbs.cert.id.length 128
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |