[Pki-users] Questions on customizing certificate profiles
Arshad Noor
arshad.noor at strongauth.com
Tue Apr 6 18:58:36 UTC 2010
So, despite changing CS.cfg in /usr/share/pki/ca/conf to:
--------------------
preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA
ca.Policy.rule.SigningAlgRule.algorithms=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA
ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
--------------------
I still get SHA1 signature algorithms in all certs.
I also noticed that when the instance CS.cfg is created in
the /etc/<instance> directory, strangely, it has the following:
--------------------
# grep SHA /etc/rootca/CS.cfg
ca.Policy.rule.SigningAlgRule.algorithms=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
ca.crl.MasterCRL.signingAlgorithm=SHA1withRSA
ca.ocsp_signing.defaultSigningAlgorithm=SHA1withRSA
ca.scep.hashAlgorithm=SHA1
ca.signing.defaultSigningAlgorithm=SHA1withRSA
preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA
preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
--------------------
Notice that despite preop.cert.signing.defaultSigningAlgorithm
having SHA256withRSA as a value, the instance CS.cfg now has
ca.signing.defaultSigningAlgorithm as SHA1withRSA.
Where did this get picked up from?
I almost feel like I'm playing a game of "Chutes & Ladders"
with the same paramters in .profiles, .cfg, CS.cfg and who
knows where else.
I will now try the next suggestion and see where it takes me.
Thanks.
Arshad Noor
StrongAuth, Inc.
Marc Sauton wrote:
> For this first CA, what about changing the pre-op settings in the main
> config file, like:
> preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA
> -->
> preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA
> ?
> M.
>
> On 04/06/2010 10:40 AM, Arshad Noor wrote:
>> One more bit of information; in addition to adding the
>> "default.params.signingAlg" parameter, I also modified the
>> following parameters in caCACert.cfg, but I still keep
>> getting SHA1withRSA; none of my changes are picked up in
>> the self-signed cert:
>>
>> policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
>> policyset.caCertSet.9.constraint.name=No Constraint
>> policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
>>
>> policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
>> policyset.caCertSet.9.default.name=Signing Alg
>> policyset.caCertSet.9.default.params.signingAlg=SHA256withRSA
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Arshad Noor wrote:
>>> Hi,
>>>
>>> I thought I used to know the Certificate Server, but it appears
>>> that so much has changed that I feel like I'm starting over again.
>>> Hopefully, I'm the one who's making mistakes and that DogTag is
>>> really not different from RHCS.
>>>
>>> In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
>>> customize the initial certificates created by the installation
>>> process. For example, here is what I'm doing:
>>>
>>> 1) Run "yum install pki-ca".
>>> 2) Run "pkicreate" with appropriate parameters.
>>> 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
>>> files to do the following:
>>>
>>> - Add "default.params.signingAlg=SHA256withRSA" to the files;
>>> - Remove digitalSignature and nonRepudiation for CA cert;
>>> - Remove digitalSignature, nonRepudiation, dataEncipherment
>>> for Server cert;
>>> - Change default validity periods, etc.
>>>
>>> Yet, none of the certificates generated by the installation process
>>> have these changes in them.
>>>
>>> I've tried stopping "pki-cad", copying the modified *.cfg files to
>>> the appropriate "<instance>/profiles/ca" directory and restarting
>>> pki-cad in case the service needed to see the modified files at
>>> startup - but to no avail.
>>>
>>> I've tried modifying the *.profile files in the /etc/<instance>
>>> directory, but to no avail.
>>>
>>> How does one customize the certificates before the self-signed cert
>>> is generated?
>>>
>>> I'm going through the PDF documentation for RHCS 8.0 and assuming
>>> that the instructions there apply to DogTag too. The version number
>>> of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
>>> repository.
>>>
>>> Thanks.
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
More information about the Pki-users
mailing list