From 4ab5cac3ebc82b617f485e08b92d14855577c7a6 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Wed, 22 Sep 2021 07:48:44 -0400 Subject: [PATCH] Generate random serial number for certificate Hardcoding 0x123 serial number would cause strict clients to reject the certificate. While we are still not guaranteeing uniqueness, the chances of a duplicate are impossibly small. --- confluent_server/confluent/certutil.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py index 427ed67a..d5696d7a 100644 --- a/confluent_server/confluent/certutil.py +++ b/confluent_server/confluent/certutil.py @@ -142,6 +142,7 @@ def create_certificate(keyout=None, certout=None): extconfig = tempfile.mktemp() csrout = tempfile.mktemp() shutil.copy2(sslcfg, tmpconfig) + serialnum = '0x' + ''.join(['{:02x}'.format(x) for x in bytearray(os.urandom(20))]) try: with open(tmpconfig, 'a') as cfgfile: cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san)) @@ -156,7 +157,7 @@ def create_certificate(keyout=None, certout=None): 'openssl', 'x509', '-req', '-in', csrout, '-CA', '/etc/confluent/tls/cacert.pem', '-CAkey', '/etc/confluent/tls/cakey.pem', - '-set_serial', '0x123', '-out', certout, '-days', '27300', + '-set_serial', serialnum, '-out', certout, '-days', '27300', '-extfile', extconfig ]) finally: