Issue #6725 has been updated by Ben Hughes. Description updated Status changed from Accepted to Unreviewed
---------------------------------------- Feature #6725: Serial # for x509 certificates https://projects.puppetlabs.com/issues/6725 Author: Ken Barber Status: Unreviewed Priority: Normal Assignee: Category: SSL Target version: Affected Puppet version: 2.6.6 Keywords: Branch: So the way we sequentially assign serial numbers for certificates is not optimal and forces us to do weird things like locking files to ensure we avoid duplication. The reality is a serial number in an x509 certificate does not need to be sequential, it just needs to be random: http://tools.ietf.org/html/rfc5280#page-19 Now I believe the RFC wording can support a serial number up to 20 octets wide. If this is the case we can probably just use uuids (which are 16 octets wide?) ... which would reduce the amount of collision possibilities. There are a few reasons that this is beneficial: * to allow us to potentially remove the locking of our serial file. I found in the past this locking reduces scalability in cases of en-masse auto-signing. * Also - in auto-sign situations - this removes the need to have a single CA for sequential serial allocation ... if the serials are uuids they have a low chance of collision more or less. In the future if we move cert storage to a central place we can avoid having to lock for the next number as well. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
