Skip to content

Installing CA with Random Serial Numbers v1

Endi S. Dewata edited this page Oct 22, 2024 · 6 revisions

Overview

This page describes the process to install a CA subsystem with Random Serial Numbers v1. Note that the certificate requests will still use sequential numbers.

Installation Procedure

To install CA with random certificate serial numbers v1, follow the normal CA installation procedure, then specify the following parameter:

[CA]
pki_random_serial_numbers_enable=True

Verification

After installation the certificates will have random serial numbers, for example:

$ pki ca-cert-find
---------------
6 entries found
---------------
  Serial Number: 0x1fd1470
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  ...

  Serial Number: 0x568fea3
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE
  ...

  Serial Number: 0x6df4937
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  ...

  Serial Number: 0x7ca2e40
  Subject DN: CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE
  ...

  Serial Number: 0xbd8b567
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  ...

  Serial Number: 0xc19799e
  Subject DN: CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=EXAMPLE
  ...
----------------------------
Number of entries returned 6
----------------------------

The certificate requests will still use sequential numbers:

$ pki -n caadmin ca-cert-request-find
-----------------
6 entries matched
-----------------
  Request ID: 0x1
  ...

  Request ID: 0x2
  ...

  Request ID: 0x3
  ...

  Request ID: 0x4
  ...

  Request ID: 0x5
  ...

  Request ID: 0x6
  ...
----------------------------
Number of entries returned 6
----------------------------
Clone this wiki locally