[Pki-users] Questions on customizing certificate profiles
Marc Sauton
msauton at redhat.com
Tue Apr 6 18:04:21 UTC 2010
For this first CA, what about changing the pre-op settings in the main
config file, like:
preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA
-->
preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA
?
M.
On 04/06/2010 10:40 AM, Arshad Noor wrote:
> One more bit of information; in addition to adding the
> "default.params.signingAlg" parameter, I also modified the
> following parameters in caCACert.cfg, but I still keep
> getting SHA1withRSA; none of my changes are picked up in
> the self-signed cert:
>
> policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
> policyset.caCertSet.9.constraint.name=No Constraint
> policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
>
> policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
> policyset.caCertSet.9.default.name=Signing Alg
> policyset.caCertSet.9.default.params.signingAlg=SHA256withRSA
>
> Arshad Noor
> StrongAuth, Inc.
>
> Arshad Noor wrote:
>> Hi,
>>
>> I thought I used to know the Certificate Server, but it appears
>> that so much has changed that I feel like I'm starting over again.
>> Hopefully, I'm the one who's making mistakes and that DogTag is
>> really not different from RHCS.
>>
>> In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
>> customize the initial certificates created by the installation
>> process. For example, here is what I'm doing:
>>
>> 1) Run "yum install pki-ca".
>> 2) Run "pkicreate" with appropriate parameters.
>> 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
>> files to do the following:
>>
>> - Add "default.params.signingAlg=SHA256withRSA" to the files;
>> - Remove digitalSignature and nonRepudiation for CA cert;
>> - Remove digitalSignature, nonRepudiation, dataEncipherment
>> for Server cert;
>> - Change default validity periods, etc.
>>
>> Yet, none of the certificates generated by the installation process
>> have these changes in them.
>>
>> I've tried stopping "pki-cad", copying the modified *.cfg files to
>> the appropriate "<instance>/profiles/ca" directory and restarting
>> pki-cad in case the service needed to see the modified files at
>> startup - but to no avail.
>>
>> I've tried modifying the *.profile files in the /etc/<instance>
>> directory, but to no avail.
>>
>> How does one customize the certificates before the self-signed cert
>> is generated?
>>
>> I'm going through the PDF documentation for RHCS 8.0 and assuming
>> that the instructions there apply to DogTag too. The version number
>> of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
>> repository.
>>
>> Thanks.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6650 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100406/3a5e4480/attachment.p7s>
More information about the Pki-users
mailing list