xCAT/confluent
2
0
Fork 0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-26 03:19:48 +00:00
Code Issues Projects Releases Wiki Activity

Generate random serial number for certificate

Browse Source 
Hardcoding 0x123 serial number would cause strict clients to reject the
certificate.

While we are still not guaranteeing uniqueness, the chances of a
duplicate are impossibly small.
This commit is contained in:
Jarrod Johnson 2021-09-22 07:48:44 -04:00
parent 3a911acb81
commit 4ab5cac3eb
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
confluent_server/confluent/certutil.py
View File

@ -142,6 +142,7 @@ def create_certificate(keyout=None, certout=None):
extconfig = tempfile.mktemp()
csrout = tempfile.mktemp()
shutil.copy2(sslcfg, tmpconfig)
serialnum = '0x' + ''.join(['{:02x}'.format(x) for x in bytearray(os.urandom(20))])
try:
with open(tmpconfig, 'a') as cfgfile:
cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))
@ -156,7 +157,7 @@ def create_certificate(keyout=None, certout=None):
'openssl', 'x509', '-req', '-in', csrout,
'-CA', '/etc/confluent/tls/cacert.pem',
'-CAkey', '/etc/confluent/tls/cakey.pem',
'-set_serial', '0x123', '-out', certout, '-days', '27300',
'-set_serial', serialnum, '-out', certout, '-days', '27300',
'-extfile', extconfig
])
finally: