[Pki-devel] Fwd: [Freeipa-users] SHA-1 certificate support
Nalin Dahyabhai
nalin at redhat.com
Wed Oct 24 20:38:36 UTC 2012
On Wed, Oct 24, 2012 at 04:02:53PM -0400, Rob Crittenden wrote:
> I assume he'd have to modify a profile to do this?
There are two signatures when you're talking about using a CSR to
request a certificate from an external CA.
There's the digest used for the signature that the issuer includes in
the certificate. In Dogtag, I believe that the allowed types are
enumerated (by a signingAlgConstraint) in the profile, and the default
is specified (as "ca.signing.defaultSigningAlgorithm") in the CA's
CS.cfg file.
Someone please correct me if I'm looking at the wrong places there.
Then there's the digest used for the self-signature that the client
includes in the CSR. The IPA installs script uses certutil, and it
looks like certutil uses SHA1 by default. That's fine for this user,
but I'll note that we can apparently use certutil's (undocumented?) -Z
flag to switch that to something like SHA256.
HTH,
Nalin
More information about the Pki-devel
mailing list