Skip to content

Sequential Serial Numbers v2

Endi S. Dewata edited this page Oct 18, 2024 · 31 revisions

Overview

The Sequential Serial Numbers v2 (SSNv2) works exactly as SSNv1 with serial numbers but it has a different configuration and solves the issues of not contiguous range allocation for the certificate serials. The basic functionality is mainly described in Random Certificate Serial Numbers v1.

Warning
This feature is still being developed. Do not use in production.

Installation

New PKI server instances can be installed with SSNv2 enabled. To enable SSNv1 in existing instances using SSNv1 follow the migration procedure below.

To enable SSNv2 for request IDs, specify the following parameters:

  • pki_request_id_generator=legacy2

  • pki_request_number_range_start=<decimal>

  • pki_request_number_range_end=<decimal>

  • pki_request_number_range_increment=<decimal>

  • pki_request_number_range_minimum=<decimal>

  • pki_request_number_range_transfer=<decimal>

To enable SSNv2 for for certificate serial numbers, specify the following parameters:

  • pki_cert_id_generator=legacy2

  • pki_serial_number_range_start=<hexadecimal>

  • pki_serial_number_range_end=<hexadecimal>

  • pki_serial_number_range_increment=<hexadecimal>

  • pki_serial_number_range_minimum=<hexadecimal>

  • pki_serial_number_range_transfer=<hexadecimal>

Configuration

After installation, the request ID configuration is stored in the following parameters in CS.cfg:

  • dbs.request.id.generator=legacy2

  • dbs.beginRequestNumber=<value>

  • dbs.endRequestNumber=<value>

  • dbs.requestCloneTransferNumber=<value>

  • dbs.requestIncrement=<value>

  • dbs.requestLowWaterMark=<value>

The certificate serial numbers configuration is stored in the following parameters in CS.cfg:

  • dbs.cert.id.generator=legacy2

  • dbs.beginSerialNumber=<value>

  • dbs.endSerialNumber=<value>

  • dbs.serialCloneTransferNumber=<value>

  • dbs.serialIncrement=<value>

  • dbs.serialLowWaterMark=<value>

These are the same parameters used in SSNv1 but the value can be in decimal or hexadecimal with 0x prefix.

Next Range

For request IDs, the next range is stored in the nextRange attribute in ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com as decimal.

For certificate serial numbers, the next range is stored in the nextRange attribute in ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com as decimal too (not hexadecimal).

Range Progression

For example, suppose a CA is configured with the following range:

  • size: 18 (0x12)

  • increment: 18 (0x12)

  • minimum: 9 (0x9)

The range progression will look like the following:

Event Current Range Current Size Allocated Range Allocated Size Next Range

Initial range

1 - 18 (0x1 - 0x12)

18

19 (0x13)

Range allocation

1 - 18 (0x1 - 0x12)

18

19 - 36 (0x13 - 0x24)

18

37 (0x25)

Range switch

19 - 36 (0x13 - 0x24)

18

19 - 36 (0x13 - 0x24)

18

37 (0x25)

Range allocation

19 - 36 (0x13 - 0x24)

18

37 - 54 (0x25 - 0x36)

18

55 (0x37)

Range switch

37 - 54 (0x25 - 0x36)

18

37 - 54 (0x25 - 0x36)

18

55 (0x37)

Migrating from SSNv1

T.B.A.

Clone this wiki locally