-
Notifications
You must be signed in to change notification settings - Fork 476
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Duplicate serials in cert bundle #962
Comments
For better or worse, SPIRE server does not persist the last used serial number. It starts over every time SPIRE is started. Even if it did persist locally, that would not solve the problem for HA, where multiple SPIRE servers would need to have consensus about the next serial number. Of course, we could possibly move to a sufficiently large random number (large enough to not be concerned about collision). |
Curious how you are using the serial number. Is this for building a traditional CRL? |
I think there is a requirement somewhere (CA/B forum?) for random serials. This is definitely something we need to fix, not just in CA certs but for leafs too. It will be very problematic when we go to tackle revocation. This is a deep topic and I think there are a lot of things we can do better. For instance, it would be great if we recorded SVID issuance somewhere. We can evict an agent, but what about the specific certificates that we granted that agent?
Is this causing a problem for you @mweissbacher? Subject Key ID is unique because each server has its own keypair. CA subject should be configurable though, so I would imagine that it is possible to configure servers in the same cluster to have different subjects if need be... though that might result in some interesting behavior for downstream SPIRE servers (which take on a subject that is derived from the upstream server that issued the intermediate). |
@azdagron @evan2645 - thanks for responding so fast!
This was just something that popped up as oddity and we felt might merit an issue ticket, we're not using the serial numbers for CRLs.
No, this was purely to document the issue better. I'll check out the CA/B reference and let's discuss on slack further! |
We noticed duplicate serial numbers in our certificate bundle. All certs have the same Subject Info and Organization, but unique Subject Key ID. We have two servers sharing a database which led to mostly 2x instances of serials, scaling up led to more collisions.
Version:
0.8.0-dev
Platform:
Linux spire 4.14.106-97.85.amzn2.x86_64 CLI authentication #1 SMP Fri Mar 15 17:07:54 UTC 2019 x86_64 Linux
Subsystem:
Server
The text was updated successfully, but these errors were encountered: