Backend: Use timestamp as serial no for server cert
authorHelga Velroyen <helgav@google.com>
Wed, 24 Jun 2015 11:27:30 +0000 (13:27 +0200)
committerHelga Velroyen <helgav@google.com>
Mon, 6 Jul 2015 10:46:46 +0000 (12:46 +0200)
So far, all of Ganeti's server certificates had the serial
number '1'. While this works, it makes it hard to
distinguish situations where the certificate is
renewed from those where it wasn't. This patch uses
a timestamp as serial number.

While this is still not stricly according to the SSL RFC,
it is at least a number that is stricly growing and we
can be sure that no two different server certificates
will have the same serial number.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

lib/backend.py

index 59260d5..5a04c7f 100644 (file)
@@ -3991,9 +3991,11 @@ def CreateX509Certificate(validity, cryptodir=pathutils.CRYPTO_KEYS_DIR):
   @return: Certificate name and public part
 
   """
   @return: Certificate name and public part
 
   """
+  serial_no = int(time.time())
   (key_pem, cert_pem) = \
     utils.GenerateSelfSignedX509Cert(netutils.Hostname.GetSysName(),
   (key_pem, cert_pem) = \
     utils.GenerateSelfSignedX509Cert(netutils.Hostname.GetSysName(),
-                                     min(validity, _MAX_SSL_CERT_VALIDITY), 1)
+                                     min(validity, _MAX_SSL_CERT_VALIDITY),
+                                     serial_no)
 
   cert_dir = tempfile.mkdtemp(dir=cryptodir,
                               prefix="x509-%s-" % utils.TimestampForFilename())
 
   cert_dir = tempfile.mkdtemp(dir=cryptodir,
                               prefix="x509-%s-" % utils.TimestampForFilename())