From 44b6f13669e8d33526b46c81b821739d4b771773 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 20:44:47 +0000 Subject: [PATCH] Use random serial for CA certificate --- certidude/cli.py | 5 ++++- tests/test_cli.py | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/certidude/cli.py b/certidude/cli.py index 2062287..aa0fc9d 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -862,7 +862,10 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country, ).not_valid_before(datetime.utcnow() ).not_valid_after( datetime.utcnow() + timedelta(days=authority_lifetime) - ).serial_number(1 + ).serial_number( + random.randint( + 0x100000000000000000000000000000000000000, + 0xfffffffffffffffffffffffffffffffffffffff) ).add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True, ).add_extension(x509.KeyUsage( digital_signature=server_flags, diff --git a/tests/test_cli.py b/tests/test_cli.py index d979db5..5481029 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -13,7 +13,8 @@ def test_cli_setup_authority(): from certidude import const, config from certidude import authority - assert authority.ca_cert.serial_number == 1 + assert authority.ca_cert.serial_number >= 0x100000000000000000000000000000000000000 + assert authority.ca_cert.serial_number <= 0xfffffffffffffffffffffffffffffffffffffff assert authority.ca_cert.not_valid_before < datetime.now() assert authority.ca_cert.not_valid_after > datetime.now() + timedelta(days=7000)