From 13c733e697ef9c656e25700b58511d31bc1e2e52 Mon Sep 17 00:00:00 2001 From: Steven Danna Date: Fri, 24 May 2019 17:26:04 +0100 Subject: [PATCH] [automate-cli] Generate unique serial for self-signed certs (#411) Automate CLI generates a self-signed SSL certificate for the front-end load balancer if the user does not provide one. Previously, this certificate had a hard-coded Serial of 1. This PR changes it to a random serial to avoid errors in Firefox and potentially other browsers. Signed-off-by: Steven Danna --- api/config/deployment/init_config.go | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/api/config/deployment/init_config.go b/api/config/deployment/init_config.go index caa8ada23f5..d26be146669 100644 --- a/api/config/deployment/init_config.go +++ b/api/config/deployment/init_config.go @@ -356,9 +356,31 @@ func generatePrivateKey() (*rsa.PrivateKey, error) { return rsa.GenerateKey(rand.Reader, keyLength) } +func generateSerial() (*big.Int, error) { + // According to + // https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf: + // + // Effective September 30, 2016, CAs SHALL generate + // non-sequential Certificate serial numbers greater than zero + // (0) containing at least 64 bits of output from a CSPRNG. + // + // Here, we set the limit to double this requirement. + limit := new(big.Int).Lsh(big.NewInt(1), 128) + ret, err := rand.Int(rand.Reader, limit) + if err != nil { + return nil, errors.Wrap(err, "failed to generate serial number") + } + return ret, nil +} + func generateCert(priv *rsa.PrivateKey, fqdn string) ([]byte, error) { + serial, err := generateSerial() + if err != nil { + return nil, err + } + certSpec := x509.Certificate{ - SerialNumber: big.NewInt(1), + SerialNumber: serial, Subject: pkix.Name{ Country: []string{"US"}, Organization: []string{"Chef Software"},