[Pki-devel] Fwd: [Freeipa-users] SHA-1 certificate support
Christina Fu
cfu at redhat.com
Thu Oct 25 17:55:39 UTC 2012
On 10/25/2012 07:07 AM, Rob Crittenden wrote:
> Nalin Dahyabhai wrote:
>> On Wed, Oct 24, 2012 at 04:02:53PM -0400, Rob Crittenden wrote:
>>> I assume he'd have to modify a profile to do this?
>>
>> There are two signatures when you're talking about using a CSR to
>> request a certificate from an external CA.
>>
>> There's the digest used for the signature that the issuer includes in
>> the certificate. In Dogtag, I believe that the allowed types are
>> enumerated (by a signingAlgConstraint) in the profile, and the default
>> is specified (as "ca.signing.defaultSigningAlgorithm") in the CA's
>> CS.cfg file.
>>
>> Someone please correct me if I'm looking at the wrong places there.
>>
>> Then there's the digest used for the self-signature that the client
>> includes in the CSR. The IPA installs script uses certutil, and it
>> looks like certutil uses SHA1 by default. That's fine for this user,
>> but I'll note that we can apparently use certutil's (undocumented?) -Z
>> flag to switch that to something like SHA256.
>
> The CSR is generated by dogtag. I'm not sure if it forks out to
> certutil or not but I'd suspect it doesn't.
>
> Can someone from the CS team confirm that changing the
> defaultSigningAlgorithm is the right thing to do here?
>
Andrew is correct that you can also just change the following line in
the profile (the "-" is telling the server to use the CA's default one
from the CS.cfg) so it will only affect that particular profile:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=-
to
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA
> rob
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list