[Pki-users] Questions on customizing certificate profiles

Arshad Noor arshad.noor at strongauth.com
Tue Apr 6 18:58:36 UTC 2010 

So, despite changing CS.cfg in /usr/share/pki/ca/conf to:

--------------------
preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA
ca.Policy.rule.SigningAlgRule.algorithms=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA
ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
--------------------

I still get SHA1 signature algorithms in all certs.

I also noticed that when the instance CS.cfg is created in
the /etc/<instance> directory, strangely, it has the following:

--------------------
# grep SHA /etc/rootca/CS.cfg
ca.Policy.rule.SigningAlgRule.algorithms=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
ca.crl.MasterCRL.signingAlgorithm=SHA1withRSA
ca.ocsp_signing.defaultSigningAlgorithm=SHA1withRSA
ca.scep.hashAlgorithm=SHA1
ca.signing.defaultSigningAlgorithm=SHA1withRSA
preop.cert.admin.defaultSigningAlgorithm=SHA256withRSA
preop.cert.audit_signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA
preop.cert.sslserver.defaultSigningAlgorithm=SHA256withRSA
preop.cert.subsystem.defaultSigningAlgorithm=SHA256withRSA
--------------------

Notice that despite preop.cert.signing.defaultSigningAlgorithm
having SHA256withRSA as a value, the instance CS.cfg now has
ca.signing.defaultSigningAlgorithm as SHA1withRSA.

Where did this get picked up from?

I almost feel like I'm playing a game of "Chutes & Ladders"
with the same paramters in .profiles, .cfg, CS.cfg and who
knows where else.

I will now try the next suggestion and see where it takes me.
Thanks.

Arshad Noor
StrongAuth, Inc.


Marc Sauton wrote:
> For this first CA, what about changing the pre-op settings in the main 
> config file, like:
> preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA
> -->
> preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA
> ?
> M.
> 
> On 04/06/2010 10:40 AM, Arshad Noor wrote:
>> One more bit of information; in addition to adding the
>> "default.params.signingAlg" parameter, I also modified the
>> following parameters in caCACert.cfg, but I still keep
>> getting SHA1withRSA; none of my changes are picked up in
>> the self-signed cert:
>>
>> policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
>> policyset.caCertSet.9.constraint.name=No Constraint
>> policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC 
>>
>> policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
>> policyset.caCertSet.9.default.name=Signing Alg
>> policyset.caCertSet.9.default.params.signingAlg=SHA256withRSA
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Arshad Noor wrote:
>>> Hi,
>>>
>>> I thought I used to know the Certificate Server, but it appears
>>> that so much has changed that I feel like I'm starting over again.
>>> Hopefully, I'm the one who's making mistakes and that DogTag is
>>> really not different from RHCS.
>>>
>>> In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
>>> customize the initial certificates created by the installation
>>> process.  For example, here is what I'm doing:
>>>
>>> 1) Run "yum install pki-ca".
>>> 2) Run "pkicreate" with appropriate parameters.
>>> 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
>>>    files to do the following:
>>>
>>>     - Add "default.params.signingAlg=SHA256withRSA" to the files;
>>>     - Remove digitalSignature and nonRepudiation for CA cert;
>>>     - Remove digitalSignature, nonRepudiation, dataEncipherment
>>>         for Server cert;
>>>     - Change default validity periods, etc.
>>>
>>> Yet, none of the certificates generated by the installation process
>>> have these changes in them.
>>>
>>> I've tried stopping "pki-cad", copying the modified *.cfg files to
>>> the appropriate "<instance>/profiles/ca" directory and restarting
>>> pki-cad in case the service needed to see the modified files at
>>> startup - but to no avail.
>>>
>>> I've tried modifying the *.profile files in the /etc/<instance>
>>> directory, but to no avail.
>>>
>>> How does one customize the certificates before the self-signed cert
>>> is generated?
>>>
>>> I'm going through the PDF documentation for RHCS 8.0 and assuming
>>> that the instructions there apply to DogTag too.  The version number
>>> of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
>>> repository.
>>>
>>> Thanks.
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
> 
>

More information about the Pki-users mailing list