Use random serial for CA certificate

2024-12-22 16:25:17 +00:00 · 2017-03-26 20:44:47 +00:00 · 2017-03-26 20:44:47 +00:00 · 44b6f13669
commit 44b6f13669
parent a663efd39e
2 changed files with 6 additions and 2 deletions
--- a/certidude/cli.py
+++ b/certidude/cli.py
@ -862,7 +862,10 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
            ).not_valid_before(datetime.utcnow()
            ).not_valid_after(
                datetime.utcnow() + timedelta(days=authority_lifetime)
-            ).serial_number(1
+            ).serial_number(
+                random.randint(
+                    0x100000000000000000000000000000000000000,
+                    0xfffffffffffffffffffffffffffffffffffffff)
            ).add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True,
            ).add_extension(x509.KeyUsage(
                digital_signature=server_flags,
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@ -13,7 +13,8 @@ def test_cli_setup_authority():
    from certidude import const, config

    from certidude import authority
-    assert authority.ca_cert.serial_number == 1
+    assert authority.ca_cert.serial_number >= 0x100000000000000000000000000000000000000
+    assert authority.ca_cert.serial_number <= 0xfffffffffffffffffffffffffffffffffffffff
    assert authority.ca_cert.not_valid_before < datetime.now()
    assert authority.ca_cert.not_valid_after > datetime.now() + timedelta(days=7000)