Issue #6725 has been updated by Charlie Sharpsteen. Assignee set to Charlie Sharpsteen
---------------------------------------- Feature #6725: Serial # for x509 certificates https://projects.puppetlabs.com/issues/6725#change-87329 * Author: Ken Barber * Status: Accepted * Priority: Normal * Assignee: Charlie Sharpsteen * Category: SSL * Target version: Waldorf * Affected Puppet version: 2.6.6 * Keywords: * Branch: ---------------------------------------- So the way we sequentially assign serial numbers for certificates is not optimal and forces us to do weird things like locking files to ensure we avoid duplication. The reality is a serial number in an x509 certificate does not need to be sequential, it just needs to be random: http://tools.ietf.org/html/rfc5280#page-19 Now I believe the RFC wording can support a serial number up to 20 octets wide. If this is the case we can probably just use uuids (which are 16 octets wide?) ... which would reduce the amount of collision possibilities. There are a few reasons that this is beneficial: * to allow us to potentially remove the locking of our serial file. I found in the past this locking reduces scalability in cases of en-masse auto-signing. * Also - in auto-sign situations - this removes the need to have a single CA for sequential serial allocation ... if the serials are uuids they have a low chance of collision more or less. In the future if we move cert storage to a central place we can avoid having to lock for the next number as well. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
