roles/ipaserver: Allow deployments with random serial numbers #1060

rjeffman · 2023-03-16T15:51:23Z

Since FreeIPA version 4.10 it is possible to deploy servers that use Random Serial Number v3 support for certificates.

This patch exposes the 'random_serial_numbers' parameter, as 'ipaserver_random_serial_numbers', allowing a user to have random serial numbers enabled for the domain.

The use of random serial numbers is allowed on new installations only.

roles/ipaserver/library/ipaserver_prepare.py

varunmylaraiah · 2023-03-28T13:14:50Z

Thanks for the PR.

varunmylaraiah

LGTM,
Downstream tests work fine with this PR.

t-woerner · 2023-03-29T14:41:47Z

It might be good to add ipaserver_random_serial_numbers: false to ipaserver/defaults/main.yml.

varunmylaraiah · 2023-03-30T08:30:37Z

@t-woerner changes work fine with setup_ca

[root@master ~]# ipa cert-find
-----------------------
13 certificates matched
-----------------------
  Issuing CA: ipa
  Subject: CN=Certificate Authority,O=<xxxxxxxxxxx>
  Issuer: CN=Certificate Authority,O=<xxxxxxxxxxx>
  Not Before: Thu Mar 30 08:09:52 2023 UTC
  Not After: Mon Mar 30 08:09:52 2043 UTC
  Serial number: 7351865533529336604938147811995291205
  Serial number (hex): 0x587EAF4CC2849CC609DA283BA0E45
  Status: VALID
  Revoked: False

roles/ipaserver/README.md

Since FreeIPA version 4.10 it is possible to deploy servers that use Random Serial Number v3 support for certificates. This patch exposes the 'random_serial_numbers' parameter, as 'ipaserver_random_serial_numbers', allowing a user to have random serial numbers enabled for the domain. The use of random serial numbers is allowed on new installations only.

t-woerner · 2023-04-04T14:12:46Z

LGTM

rjeffman requested a review from t-woerner March 16, 2023 15:51

t-woerner reviewed Mar 20, 2023

View reviewed changes

roles/ipaserver/library/ipaserver_prepare.py Outdated Show resolved Hide resolved

rjeffman force-pushed the ipaserver_random_serial_numbers branch from 98953a9 to 2b30ecf Compare March 20, 2023 15:14

varunmylaraiah approved these changes Mar 28, 2023

View reviewed changes

rjeffman force-pushed the ipaserver_random_serial_numbers branch 2 times, most recently from 4f3da2b to 8deae11 Compare March 30, 2023 19:33

t-woerner reviewed Apr 4, 2023

View reviewed changes

roles/ipaserver/README.md Outdated Show resolved Hide resolved

rjeffman force-pushed the ipaserver_random_serial_numbers branch from 8deae11 to ca352d0 Compare April 4, 2023 12:30

rjeffman force-pushed the ipaserver_random_serial_numbers branch from ca352d0 to a4087a7 Compare April 4, 2023 13:38

t-woerner merged commit ecab42b into freeipa:master Apr 4, 2023
31 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

roles/ipaserver: Allow deployments with random serial numbers #1060

roles/ipaserver: Allow deployments with random serial numbers #1060

rjeffman commented Mar 16, 2023

varunmylaraiah commented Mar 28, 2023

varunmylaraiah left a comment

t-woerner commented Mar 29, 2023

varunmylaraiah commented Mar 30, 2023 •

edited

t-woerner commented Apr 4, 2023

roles/ipaserver: Allow deployments with random serial numbers #1060

roles/ipaserver: Allow deployments with random serial numbers #1060

Conversation

rjeffman commented Mar 16, 2023

varunmylaraiah commented Mar 28, 2023

varunmylaraiah left a comment

Choose a reason for hiding this comment

t-woerner commented Mar 29, 2023

varunmylaraiah commented Mar 30, 2023 • edited

t-woerner commented Apr 4, 2023

varunmylaraiah commented Mar 30, 2023 •

edited