Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Duplicate serials in cert bundle #962

Closed
mweissbacher opened this issue Jun 12, 2019 · 5 comments · Fixed by #999
Closed

Duplicate serials in cert bundle #962

mweissbacher opened this issue Jun 12, 2019 · 5 comments · Fixed by #999
Assignees

Comments

@mweissbacher
Copy link
Contributor

We noticed duplicate serial numbers in our certificate bundle. All certs have the same Subject Info and Organization, but unique Subject Key ID. We have two servers sharing a database which led to mostly 2x instances of serials, scaling up led to more collisions.

  • Version:
    0.8.0-dev

  • Platform:
    Linux spire 4.14.106-97.85.amzn2.x86_64 CLI authentication #1 SMP Fri Mar 15 17:07:54 UTC 2019 x86_64 Linux

  • Subsystem:
    Server

@azdagron
Copy link
Member

For better or worse, SPIRE server does not persist the last used serial number. It starts over every time SPIRE is started. Even if it did persist locally, that would not solve the problem for HA, where multiple SPIRE servers would need to have consensus about the next serial number.

Of course, we could possibly move to a sufficiently large random number (large enough to not be concerned about collision).

@azdagron
Copy link
Member

Curious how you are using the serial number. Is this for building a traditional CRL?

@evan2645
Copy link
Member

I think there is a requirement somewhere (CA/B forum?) for random serials. This is definitely something we need to fix, not just in CA certs but for leafs too. It will be very problematic when we go to tackle revocation.

This is a deep topic and I think there are a lot of things we can do better. For instance, it would be great if we recorded SVID issuance somewhere. We can evict an agent, but what about the specific certificates that we granted that agent?

All certs have the same Subject Info and Organization, but unique Subject Key ID.

Is this causing a problem for you @mweissbacher? Subject Key ID is unique because each server has its own keypair. CA subject should be configurable though, so I would imagine that it is possible to configure servers in the same cluster to have different subjects if need be... though that might result in some interesting behavior for downstream SPIRE servers (which take on a subject that is derived from the upstream server that issued the intermediate).

@evan2645
Copy link
Member

@mweissbacher
Copy link
Contributor Author

@azdagron @evan2645 - thanks for responding so fast!

Curious how you are using the serial number. Is this for building a traditional CRL?

This was just something that popped up as oddity and we felt might merit an issue ticket, we're not using the serial numbers for CRLs.

All certs have the same Subject Info and Organization, but unique Subject Key ID.

Is this causing a problem for you

No, this was purely to document the issue better.

I'll check out the CA/B reference and let's discuss on slack further!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants