Commit 615d6f21 authored by Helga Velroyen's avatar Helga Velroyen

Backend: Use timestamp as serial no for server cert

So far, all of Ganeti's server certificates had the serial
number '1'. While this works, it makes it hard to
distinguish situations where the certificate is
renewed from those where it wasn't. This patch uses
a timestamp as serial number.

While this is still not stricly according to the SSL RFC,
it is at least a number that is stricly growing and we
can be sure that no two different server certificates
will have the same serial number.
Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
parent 5dd17acc
......@@ -3991,9 +3991,11 @@ def CreateX509Certificate(validity, cryptodir=pathutils.CRYPTO_KEYS_DIR):
@return: Certificate name and public part
"""
serial_no = int(time.time())
(key_pem, cert_pem) = \
utils.GenerateSelfSignedX509Cert(netutils.Hostname.GetSysName(),
min(validity, _MAX_SSL_CERT_VALIDITY), 1)
min(validity, _MAX_SSL_CERT_VALIDITY),
serial_no)
cert_dir = tempfile.mkdtemp(dir=cryptodir,
prefix="x509-%s-" % utils.TimestampForFilename())
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment