mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-29 13:00:03 +00:00
Generate random serial number for certificate
Hardcoding 0x123 serial number would cause strict clients to reject the certificate. While we are still not guaranteeing uniqueness, the chances of a duplicate are impossibly small.
This commit is contained in:
parent
3a911acb81
commit
4ab5cac3eb
@ -142,6 +142,7 @@ def create_certificate(keyout=None, certout=None):
|
||||
extconfig = tempfile.mktemp()
|
||||
csrout = tempfile.mktemp()
|
||||
shutil.copy2(sslcfg, tmpconfig)
|
||||
serialnum = '0x' + ''.join(['{:02x}'.format(x) for x in bytearray(os.urandom(20))])
|
||||
try:
|
||||
with open(tmpconfig, 'a') as cfgfile:
|
||||
cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))
|
||||
@ -156,7 +157,7 @@ def create_certificate(keyout=None, certout=None):
|
||||
'openssl', 'x509', '-req', '-in', csrout,
|
||||
'-CA', '/etc/confluent/tls/cacert.pem',
|
||||
'-CAkey', '/etc/confluent/tls/cakey.pem',
|
||||
'-set_serial', '0x123', '-out', certout, '-days', '27300',
|
||||
'-set_serial', serialnum, '-out', certout, '-days', '27300',
|
||||
'-extfile', extconfig
|
||||
])
|
||||
finally:
|
||||
|
Loading…
Reference in New Issue
Block a user