Random Certificate Serials in FreeIPA

October 23, 2018

Intro

I recently broke my FreeIPA setup, and needed to reinstall from scratch. Since FreeIPA by default creates certificates with serial numbers starting at 1, I ended up with a Certificate Authority with the same serial number and fields as my previous installation, but with a different certificate. Unfortunately, this caused a sec_error_reused_issuer_and_serial error in Firefox, which I couldn’t bypass. I tried a number of different solutions to try and fix this issue, including clearing out the certificate database as well as resetting my Firefox profile, but none of them worked.


Solution

In the end, I was able to work around the Firefox error by enabling random certificate serial numbers in FreeIPA and reinstalling. If random serials are enabled, FreeIPA will use a random, nonsequential number for the certificate serial number rather than starting at 1. If this is enabled before FreeIPA is installed, the Certificate Authority will also be generated with a random serial, which prevents Firefox from throwing an error.

To enable random certificate serial numbers, we need to modify the Dogtag PKI configuration. The Dogtag system is used by FreeIPA to create the integrated Certificate Authority and provision certificates. Before installing FreeIPA, edit the /etc/pki/default.cfg file on your IPA server and find the following line:

pki_random_serial_numbers_enabled=False

Change it to:

pki_random_serial_numbers_enabled=True

Save and close the file. You can now complete the FreeIPA installation as per usual; after it finishes installing, we can check the list of certificates in the WebUI under Authentication -> Certificates, and we will see that the certificate serial numbers are all random and nonsequential. Firefox should also now load pages signed by the FreeIPA Certificate Authority without complaining about reused serial numbers.


Questions? Comments? Reach out to me via Email or Mastodon!