-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring CA with Random Serial Numbers v3
Endi S. Dewata edited this page Apr 5, 2022
·
16 revisions
This page describes the process to switch the ID generators in an existing CA from the legacy Sequential Serial Numbers or Random Serial Numbers v1 to Random Serial Numbers v3.
|
Warning
|
Switching back from Random Serial Numbers v3 to the legacy Sequential Serial Numbers or Random Serial Numbers v1 is not supported. |
Disable the legacy ID generator for certificate requests:
$ pki-server ca-config-unset dbs.beginRequestNumber $ pki-server ca-config-unset dbs.endRequestNumber $ pki-server ca-config-unset dbs.requestIncrement $ pki-server ca-config-unset dbs.requestLowWaterMark $ pki-server ca-config-unset dbs.requestCloneTransferNumber $ pki-server ca-config-unset dbs.requestRangeDN
Enable the RSNv3 ID generator for certificate requests:
$ pki-server ca-config-set dbs.request.id.generator random $ pki-server ca-config-set dbs.request.id.length 128
Disable the legacy ID generator for certificates:
$ pki-server ca-config-unset dbs.beginSerialNumber $ pki-server ca-config-unset dbs.endSerialNumber $ pki-server ca-config-unset dbs.serialIncrement $ pki-server ca-config-unset dbs.serialLowWaterMark $ pki-server ca-config-unset dbs.serialCloneTransferNumber $ pki-server ca-config-unset dbs.serialRangeDN $ pki-server ca-config-unset dbs.enableRandomSerialNumbers $ pki-server ca-config-unset dbs.randomSerialNumberCounter
Enable the RSNv3 ID generator for certificates:
$ pki-server ca-config-set dbs.cert.id.generator random $ pki-server ca-config-set dbs.cert.id.length 128
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |