For background, earlier this month, DarkMatter applied for Mozilla root CA inclusion. There was an email thread [1], with concerns about DarkMatter, and one of the emails[2] was concerned that DarkMatter was generating serial numbers in this exact same fashion using EJBCA. There was a pretty long-winded discussion in the thread about whether flipping the MSB constituted a loss of 1-bit of entropy and an EJBCA dev chimed in[3] saying basically that they are pushing a fix to solve this. This seems to have kicked off this issue. (there's a lot more to it, with DarkMatter's CTO saying that the method did not constitute a loss of a bit, etc, but this thread seems to be where the issue was discovered at least.)