-
Notifications
You must be signed in to change notification settings - Fork 141
Sequential Serial Numbers v1
The Sequential Serial Numbers v1 (SSNv1) is mainly described in Random Certificate Serial Numbers v1.
For request IDs, the configuration parameters use decimal numbers:
-
dbs.beginRequestNumber -
dbs.endRequestNumber -
dbs.requestCloneTransferNumber -
dbs.requestIncrement -
dbs.requestLowWaterMark
For certificate serial numbers, the configuration parameters use hexadecimal numbers:
-
dbs.beginSerialNumber -
dbs.endSerialNumber -
dbs.serialCloneTransferNumber -
dbs.serialIncrement -
dbs.serialLowWaterMark
The serial numbers issued using SSNv1 are not contiguous. Sometimes there are gaps between the serial numbers.
For example, suppose a CA is configured with the following range:
-
size: 18 (0x12)
-
increment: 18 (0x12)
-
minimum: 9 (0x9)
The range progression will look like the following:
| Event | Current Range | Current Size | Next Range | Allocated Range | Allocated Size |
|---|---|---|---|---|---|
Initial range |
1 - 18 (0x1 - 0x12) |
18 |
13 (0xd) |
||
Range allocation |
1 - 18 (0x1 - 0x12) |
18 |
31 (0x1f) |
13 - 30 (0xd - 0x1e) |
18 |
Range switch |
19 - 36 (0x13 - 0x24) |
18 |
31 (0x1f) |
13 - 30 (0xd - 0x1e) |
18 |
Range allocation |
19 - 36 (0x13 - 0x24) |
18 |
49 (0x31) |
31 - 48 (0x1f - 0x30) |
18 |
Range switch |
49 - 66 (0x31 - 0x42) |
18 |
49 (0x31) |
31 - 48 (0x1f - 0x30) |
18 |
There are two issues:
The first problem is, the initial Next Range is incorrectly set to 13 (0xd) whereas it should have been 19 (0x13).
This is caused by a bug in pki-server ca-range-update (SubsystemRangeUpdateCLI.java) that parses the dbs.endSerialNumber as a decimal instead of hexadecimal.
The second problem is, the serial numbers jumps from 36 (0x24) to 49 (0x31).
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |