diff --git a/certidude/cli.py b/certidude/cli.py index 2062287..aa0fc9d 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -862,7 +862,10 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country, ).not_valid_before(datetime.utcnow() ).not_valid_after( datetime.utcnow() + timedelta(days=authority_lifetime) - ).serial_number(1 + ).serial_number( + random.randint( + 0x100000000000000000000000000000000000000, + 0xfffffffffffffffffffffffffffffffffffffff) ).add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True, ).add_extension(x509.KeyUsage( digital_signature=server_flags, diff --git a/tests/test_cli.py b/tests/test_cli.py index d979db5..5481029 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -13,7 +13,8 @@ def test_cli_setup_authority(): from certidude import const, config from certidude import authority - assert authority.ca_cert.serial_number == 1 + assert authority.ca_cert.serial_number >= 0x100000000000000000000000000000000000000 + assert authority.ca_cert.serial_number <= 0xfffffffffffffffffffffffffffffffffffffff assert authority.ca_cert.not_valid_before < datetime.now() assert authority.ca_cert.not_valid_after > datetime.now() + timedelta(days=7000)