[Pki-users] Questions on customizing certificate profiles
Chandrasekar Kannan
ckannan at redhat.com
Tue Apr 6 23:53:23 UTC 2010
On 04/06/2010 04:28 PM, Arshad Noor wrote:
> Its a possibility it could work, Andrew, but it seems like a
> rather convoluted way to get a straightforward task done. I
> fear for the issues that I might run into with that process.
>
> Am I the only one who is building a PKI with DogTag without
> the use of SHA1? Seems hard to comprehend given that NIST has
> recommended for the last 2 years that all new implementations
> avoid SHA1, and to not use it starting Jan 2011.
>
> Arshad Noor
> StrongAuth, Inc.
>
>
> Andrew Wnuk wrote:
>> Arshad,
>>
>> You could try renewal called "Renew certificate to be manually
>> approved by agents". Customize your certificate using agent approval
>> page and import new certificate to NSS-DB.
>>
>> Andrew
>>
>> On 04/06/10 10:34, Arshad Noor wrote:
>>> Hi,
>>>
>>> I thought I used to know the Certificate Server, but it appears
>>> that so much has changed that I feel like I'm starting over again.
>>> Hopefully, I'm the one who's making mistakes and that DogTag is
>>> really not different from RHCS.
>>>
>>> In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
>>> customize the initial certificates created by the installation
>>> process. For example, here is what I'm doing:
>>>
>>> 1) Run "yum install pki-ca".
>>> 2) Run "pkicreate" with appropriate parameters.
>>> 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
>>> files to do the following:
>>>
>>> - Add "default.params.signingAlg=SHA256withRSA" to the files;
>>> - Remove digitalSignature and nonRepudiation for CA cert;
>>> - Remove digitalSignature, nonRepudiation, dataEncipherment
>>> for Server cert;
>>> - Change default validity periods, etc.
>>>
>>> Yet, none of the certificates generated by the installation process
>>> have these changes in them.
>>>
>>> I've tried stopping "pki-cad", copying the modified *.cfg files to
>>> the appropriate "<instance>/profiles/ca" directory and restarting
>>> pki-cad in case the service needed to see the modified files at
>>> startup - but to no avail.
>>>
>>> I've tried modifying the *.profile files in the /etc/<instance>
>>> directory, but to no avail.
>>>
>>> How does one customize the certificates before the self-signed cert
>>> is generated?
>>>
>>> I'm going through the PDF documentation for RHCS 8.0 and assuming
>>> that the instructions there apply to DogTag too. The version number
>>> of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
>>> repository.
the installation wizard should provide 'options' under the advanced
section for you to be able to select the alg to use. Have you tried
doing Step (8) from here ?
http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configuring_a_CA.html
>>>
>>> Thanks.
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list