Skip to content

Sequential Serial Numbers v2

Jump to bottom
Endi S. Dewata edited this page Oct 17, 2024 · 31 revisions

Overview

The Sequential Serial Numbers v2 (SSNv2) works exactly as SSNv1 with serial numbers but it has a different configuration and solves the issues of not contiguous range allocation for the certificate serials. The basic functionality is mainly described in Random Certificate Serial Numbers v1.

Warning
 This feature is still being developed. Do not use in production.

Configuration

To enable the SSNv2 in the configuration the id generator has to be legacy2 so the CS.cfg will have:

  • dbs.cert.id.generator=legacy2

  • dbs.request.id.generator=legacy2

These can be configured during the installation with pkispawn using:

  • pki_request_id_generator=legacy2

  • pki_cert_id_generator=legacy2

For request IDs and certificate serial numbers, the current range are stored in CS.cfg using the same variable of SSNv1 but the value can be in decimal or hexadecimal if prefixed with 0x:

  • dbs.beginRequestNumber

  • dbs.endRequestNumber

  • dbs.requestCloneTransferNumber

  • dbs.requestIncrement

  • dbs.requestLowWaterMark

  • dbs.beginSerialNumber

  • dbs.endSerialNumber

  • dbs.serialCloneTransferNumber

  • dbs.serialIncrement

  • dbs.serialLowWaterMark

Next Range

For request IDs, the next range is stored in the nextRange attribute in ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com as decimal.

For certificate serial numbers, the next range is stored in the nextRange attribute in ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com as decimal too (not hexadecimal).

Range Progression

For example, suppose a CA is configured with the following range:

  • size: 18 (0x12)

  • increment: 18 (0x12)

  • minimum: 9 (0x9)

The range progression will look like the following:

Event Current Range Current Size Allocated Range Allocated Size Next Range

Initial range

1 - 18 (0x1 - 0x12)

18

19 (0x13)

Range allocation

1 - 18 (0x1 - 0x12)

18

19 - 36 (0x13 - 0x24)

18

37 (0x25)

Range switch

19 - 36 (0x13 - 0x24)

18

19 - 36 (0x13 - 0x24)

18

37 (0x25)

Range allocation

19 - 36 (0x13 - 0x24)

18

37 - 54 (0x25 - 0x36)

18

55 (0x37)

Range switch

37 - 54 (0x25 - 0x36)

18

37 - 54 (0x25 - 0x36)

18

55 (0x37)

Migrating from SSNv1

T.B.A.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally