2
0
mirror of https://github.com/xcat2/confluent.git synced 2025-01-27 11:30:06 +00:00

Generate random serial number for certificate

Hardcoding 0x123 serial number would cause strict clients to reject the
certificate.

While we are still not guaranteeing uniqueness, the chances of a
duplicate are impossibly small.
This commit is contained in:
Jarrod Johnson 2021-09-22 07:48:44 -04:00
parent 3a911acb81
commit 4ab5cac3eb

View File

@ -142,6 +142,7 @@ def create_certificate(keyout=None, certout=None):
extconfig = tempfile.mktemp()
csrout = tempfile.mktemp()
shutil.copy2(sslcfg, tmpconfig)
serialnum = '0x' + ''.join(['{:02x}'.format(x) for x in bytearray(os.urandom(20))])
try:
with open(tmpconfig, 'a') as cfgfile:
cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))
@ -156,7 +157,7 @@ def create_certificate(keyout=None, certout=None):
'openssl', 'x509', '-req', '-in', csrout,
'-CA', '/etc/confluent/tls/cacert.pem',
'-CAkey', '/etc/confluent/tls/cakey.pem',
'-set_serial', '0x123', '-out', certout, '-days', '27300',
'-set_serial', serialnum, '-out', certout, '-days', '27300',
'-extfile', extconfig
])
finally: