Jira (PUP-6824) Use UUIDs for certificate serial numbers

8 views
Skip to first unread message

Adrien Thebo (JIRA)

unread,
Oct 17, 2016, 2:07:02 PM10/17/16
to puppe...@googlegroups.com
Adrien Thebo created an issue
 
Puppet / Improvement PUP-6824
Use UUIDs for certificate serial numbers
Issue Type: Improvement Improvement
Assignee: Adrien Thebo
Created: 2016/10/17 11:06 AM
Labels: ca
Priority: Normal Normal
Reporter: Adrien Thebo

Puppet has historically used a monotonically increasing serial number when signing certificates, which is the default behavior for the underlying library, OpenSSL. However RFC 5280 4.1.2.2 indicates that serial numbers need only be 20 byte non-negative integers. We should switch to using 16 byte v4 UUIDs to reduce the likelihood of serial number collisions and make it easier to sign CSRs on multiple masters with the same CA certificate and key pair.

See also redmine #6725.

Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Maggie Dreyer (JIRA)

unread,
May 16, 2017, 5:19:03 PM5/16/17
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Labels: ca  triaged

Adrien Thebo (JIRA)

unread,
Oct 20, 2017, 2:01:03 PM10/20/17
to puppe...@googlegroups.com
Adrien Thebo assigned an issue to Unassigned
Change By: Adrien Thebo
Assignee: Adrien Thebo

Owen Rodabaugh (JIRA)

unread,
Oct 20, 2017, 6:27:02 PM10/20/17
to puppe...@googlegroups.com
Owen Rodabaugh updated an issue
Change By: Owen Rodabaugh
CS Priority: Needs Priority

Owen Rodabaugh (JIRA)

unread,
Oct 26, 2017, 7:22:29 PM10/26/17
to puppe...@googlegroups.com
Owen Rodabaugh updated an issue
Change By: Owen Rodabaugh
CS Priority: Needs Priority Major
CS Impact: This would seem to be a simple fix that would help avoid serial collisions and also make HA simpler.
CS Severity: 3 - Serious
CS Business Value: 4 - $$$$$
CS Frequency: 4 - 50-90% of Customers

Craig Gomes (JIRA)

unread,
Oct 27, 2017, 6:08:02 PM10/27/17
to puppe...@googlegroups.com
Craig Gomes updated an issue
Change By: Craig Gomes
Sprint: Platform Core Hopper

Craig Gomes (JIRA)

unread,
Oct 27, 2017, 6:08:02 PM10/27/17
to puppe...@googlegroups.com
Craig Gomes updated an issue
Change By: Craig Gomes
Labels: ca  the-goods

Zachary Smith (JIRA)

unread,
Oct 27, 2017, 8:20:12 PM10/27/17
to puppe...@googlegroups.com
Zachary Smith commented on Improvement PUP-6824
 
Re: Use UUIDs for certificate serial numbers

Yasmin Rajabi I believe HA is under your purvue now. This is more or less a papercut but could solve some of the complexities in HA that are currently being worked around. Russell Mull and I touched on this a bit in our Puppet Conf talk last year https://www.youtube.com/watch?v=lUSPOgXKwV8&t

We work around this in HA right now by offset indexing, adding 10000 to the replica CA so that any certs that get signed will not conflict on with the serials on the primary. However, none of that would be needed if we implement this fairly simple solution where it's not a number being incremented. I also feel like when we have locking issues or APIs that are behaving badly, you also wouldn't ever see an issue with duplicate serial numbers being distributed as uuids are often unique across time and space.

I can't see anything backward incompatible about this ticket and as most programming languages have uuid generation support I feel like it would be easy to implement. Probably the biggest win here might be simplifying failback of primary as there would never be a concern about the serial point in history, you mostly have to only worry about the signed directory on disk.

Yasmin Rajabi (JIRA)

unread,
Nov 2, 2017, 1:50:03 PM11/2/17
to puppe...@googlegroups.com
Yasmin Rajabi commented on Improvement PUP-6824

Zachary Smith thanks for bringing this to my attention, would this just be a puppet server fix? or something done in enterprise?

This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Atlassian logo

Zachary Smith (JIRA)

unread,
Nov 2, 2017, 3:22:03 PM11/2/17
to puppe...@googlegroups.com
Zachary Smith commented on Improvement PUP-6824

Yasmin Rajabi The tooling is split between some ruby code `puppet cert` and puppet server (cert API). The only way I'm aware for us to ship this only in PE, would be to make it a PE - Server extension. I don't know of us doing a ruby change like this in PE only though. That's mostly to say it's likely a core puppet change and a puppet server change. Once it was done though we would want to create a ticket to fix the "offset indexing" we do in PE HA, so those changes will all be in PE only.

This solves a sort of minor problem that can have major considerations for PE HA over time. I think it's worth mentioning that this is more or less a band-aid but would be a good first step though. Specifically, this might over time allow us to support Active/Active CAs. Given you don't have worry about what number you are at on the primary vs replica it solves the "who is in charge of signing certs problem".

It doesn't solve the "who is in charge of revoking certs problem", though for my money I think if we implement the OCSP covered in OPTY-99 would do that in the long term by decentralizing the certificate revocation list.

I think to move to Active / Active HA over time, or at a bare minimum allowing easier fail back in PE HA, would be helped by this ticket as it negates the possible collisions that could occur.

Justin Stoller (JIRA)

unread,
Dec 14, 2017, 7:54:02 PM12/14/17
to puppe...@googlegroups.com
Justin Stoller updated an issue
 
Change By: Justin Stoller
Sprint: Platform Core Hopper

Maggie Dreyer (JIRA)

unread,
Sep 30, 2019, 1:22:04 PM9/30/19
to puppe...@googlegroups.com
Maggie Dreyer commented on Improvement PUP-6824
 
Re: Use UUIDs for certificate serial numbers

The CA code is entirely in Clojure now, in puppetserver. I'll move this ticket to the SERVER project and put it with some other tickets to consider when we start looking at HA again.

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages