[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] pkispawn man page ECC example



Please review the following patch that addresses:


From b36a3b84ba95d66d38335da3f880453b9759a649 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen redhat com>
Date: Fri, 10 Jul 2015 15:58:17 -0600
Subject: [PATCH] pkispawn man page ECC example

- PKI TRAC Ticket #1460 - Add 'pkispawn' man page example for ECC
---
 base/server/man/man8/pkispawn.8 | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index ef1857d..f4df57b 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -208,6 +208,40 @@ The instance name (defined by pki_instance_name) is pki-tomcat, and it is locate
 A PKCS #12 file containing the administrator certificate is created in \fI$HOME/.dogtag/pki-tomcat\fP.  This PKCS #12 file uses the password designated by pki_client_pkcs12_password in the configuration file.
 .PP
 To access the agent pages, first import the CA certificate by accessing the CA End Entity Pages and clicking on the Retrieval Tab.  Be sure to trust the CA certificate.  Then, import the administrator certificate in the PKCS #12 file.
+.SS CA using ECC default configuration
+\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR
+.PP
+where \fImyconfig.txt\fP contains the following text:
+.IP
+.nf
+[DEFAULT]
+pki_admin_password=\fIpassword123\fP
+pki_client_pkcs12_password=\fIpassword123\fP
+pki_ds_password=\fIpassword123\fP
+pki_ssl_server_key_algorithm=SHA256withEC
+pki_ssl_server_key_size=nistp256
+pki_ssl_server_key_type=ecc
+pki_subsystem_key_algorithm=SHA256withEC
+pki_subsystem_key_size=nistp256
+pki_subsystem_key_type=ecc
+
+[CA]
+pki_ca_signing_key_algorithm=SHA256withEC
+pki_ca_signing_key_size=nistp256
+pki_ca_signing_key_type=ecc
+pki_ca_signing_signing_algorithm=SHA256withEC
+pki_ocsp_signing_key_algorithm=SHA256withEC
+pki_ocsp_signing_key_size=nistp256
+pki_ocsp_signing_key_type=ecc
+pki_ocsp_signing_signing_algorithm=SHA256withEC
+.fi
+.PP
+In order to utilize ECC, the SSL Server and Subsystem key algorithm, key size, and key type should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, and rsa --> ecc, respectively.
+.PP
+Additionally, for a CA subsystem, both the CA and OCSP Signing key algorithm, key size, key type, and signing algorithm should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, rsa --> ecc, and SHA256withRSA --> SHA256withEC,respectively.
+.TP
+\fBNote:\fP 
+For all PKI subsystems, ECC is not supported for the corresponding Audit Signing parameters.  Similarly, for KRA subsystem, ECC is not supported for either of the corresponding Storage or Transport parameters.
 .SS KRA, OCSP, or TKS using default configuration
 \x'-1'\fBpkispawn \-s <subsystem> \-f myconfig.txt\fR
 .PP
-- 
1.8.3.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]