Project

General

Profile

Feature #9883

Allow CAs to use randomized serials when signing

Added by Jim Pingle 12 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
11/04/2019
Due date:
% Done:

100%

Estimated time:

Description

Various guidelines suggest using randomized serial numbers when signing certificates, rather than using sequential numbers.

Add an option to CA entries (off by default) which will allow them to generate random serial numbers when signing for extra security.

The generated numbers must be tested against all known serials for a given CA to avoid accidentally duplicating a serial.

Associated revisions

Revision 2c9601c9 (diff)
Added by Jim Pingle 12 months ago

Add support for randomized cert serial numbers. Implements #9883

Revision a6bd9e78 (diff)
Added by Jim Pingle 12 months ago

Validate CA/CRL serial input. Issue #9883 Issue #9869

Revision 94ce250e (diff)
Added by Jim Pingle 12 months ago

Move CA random serial option to upper section. Issue #9883

This allows it to be set when creating a new CA, so it doesn't have to
be edited in later.

Also show the next serial/random status in the CA info block
Hide trust store line from non-CA entries since it's not relevant to
certificates, only CAs.

History

#1 Updated by Jim Pingle 12 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

#2 Updated by Viktor Gurov 11 months ago

tested on pfSense 2.5.0.a.20191126.1832

it successfully creates random serials when creating certificates or signing CSR

Resolved

#3 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF