[Pki-users] Questions on customizing certificate profiles
Arshad Noor
arshad.noor at strongauth.com
Thu Apr 8 17:55:15 UTC 2010
Can someone from the DogTag Engineering team confirm that a PKI
with only SHA-2 hashes *cannot* be built with the current version
of the product?
I find this hard to believe given that the RHCS documentation seems
to indicate that it is possible to do so, and given that the
underlying code already has SHA-2 support; nevertheless, can someone
confirm Oliver's finding? Thanks.
Arshad Noor
StrongAuth, Inc.
P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
can be configured at the time the self-signed cert is created, does
that imply that the commercial RHCS is technologically different from
the open-source DogTag? And, that it isn't just a question of RedHat
support?
Oliver Burtchen wrote:
> Hi @ all,
>
> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by editing the
> config files. No luck!
>
> I found, this is hard-coded in the sources, for example in:
>
> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
> - pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
>
> Just look for "SHA1withRSA" in the files, I don't think this are just
> fallbacks.
>
> Best regards,
> Oli
>
>
>
> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>> The only option that is visible under Advanced is the key-size
>>> for each of the certificate-types. The hash algorithm does not
>>> show up at all.
>>>
>>> Even the default, as mentioned by Step 8, is not the default as
>>> the last 10-12 installs have shown:
>>>
>>> * SHA256withRSA (the default)
>>>
>>> So, the question is: is the current build of DogTag in the pki
>>> repository identical to RHCS 8.0 or is it a different version?
>> It might very well be ... we can look at the svn commits
>> to be really sure...
>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>> Chandrasekar Kannan wrote:
>>>> the installation wizard should provide 'options' under the advanced
>>>> section for you to be able to select the alg to use. Have you tried
>>>> doing Step (8) from here ?
>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configur
>>>> ing_a_CA.html
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
More information about the Pki-users
mailing list