[Pki-devel] Fwd: [Freeipa-users] SHA-1 certificate support

Dhiva dhiva at es.net
Wed Oct 24 21:31:19 UTC 2012 

Does this also changes the value of "Subject Key Identifier" and "Auth 
Key Identifier" extensions?
I am getting inconsistent results, but not sure if the algorithm should 
be same as the one used to sign the certificate.

- dhiva


On 10/24/12 2:09 PM, Andrew Wnuk wrote:
> On 10/24/2012 01:38 PM, Nalin Dahyabhai wrote:
>> On Wed, Oct 24, 2012 at 04:02:53PM -0400, Rob Crittenden wrote:
>>> I assume he'd have to modify a profile to do this?
>> There are two signatures when you're talking about using a CSR to
>> request a certificate from an external CA.
>>
>> There's the digest used for the signature that the issuer includes in
>> the certificate.  In Dogtag, I believe that the allowed types are
>> enumerated (by a signingAlgConstraint) in the profile, and the default
>> is specified (as "ca.signing.defaultSigningAlgorithm") in the CA's
>> CS.cfg file.
>
> You can also specify default signing algorithm in the profile without 
> changing CA's default signing algorithm.
>
> IPA's profile could but it does not specify default signing algorithm.
>     See caIPAserviceCert.cfg:
> policyset.serverCertSet.8.default.params.signingAlg=-
>
> To specify default signing algorithm in the IPA profile, modify above 
> line by including signing algorithm from the constraint list.
>     See caIPAserviceCert.cfg:
> policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=. . .
>
>>
>> Someone please correct me if I'm looking at the wrong places there.
>>
>> Then there's the digest used for the self-signature that the client
>> includes in the CSR.  The IPA installs script uses certutil, and it
>> looks like certutil uses SHA1 by default.  That's fine for this user,
>> but I'll note that we can apparently use certutil's (undocumented?) -Z
>> flag to switch that to something like SHA256.
>>
>> HTH,
>>
>> Nalin
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list