[Pki-users] Questions on customizing certificate profiles

Thu Apr 8 21:27:18 UTC 2010

Just for the record,

the "renewal method" seems to work, but it is very annoying. I would be very 
glad to see the possibility to change the hash-alg as on option to pkicreate, 
in the wizard or pkisilent. This is a feature-request.  ;-)

Best regards,
Oli

Am Donnerstag, 8. April 2010 22:12:40 schrieb Oliver Burtchen:
> Hi Kevin,
> 
> thanks for making the differences plain. For me RHBA-2009-1602 is more a
>  new feature, than a bug fix, but okay.  ;-)
> 
> It seems that pkisilent does not offer an option to change the hash to
>  SHA-2, and as I wrote earlier, IMHO it is volitional hard-coded. Most of
>  the rest of dogtag has code to work with SHA-2.
> 
> I will give the "renewal method" a try.
> 
> Best regards,
> Oli
> 
> Am Donnerstag, 8. April 2010 20:51:14 schrieb Kevin Unthank:
> > Hi Arshad,
> >
> > Obviously, there are differences between RHCS8 and the latest release
> > of Dogtag. Generally, new feature development takes place in dogtag
> > and some of those features find there way back into RHCS8. Bug fixing
> > often occurs first in RHCS8 and those fixes are ported to dogtag.
> >
> > PKI with only SHA-2 hashes is a fix that was made in the RHCS8
> > code tree and released in both source binary form in errata
> > RHBA-2009-1602. That fix will make it into dogtag builds but I can't
> > commit to a specific release or date when this will happen.
> >
> > Until then it should be possible to work around the problem by using
> > pkisilent or the renewal method suggested by Andrew.
> >
> > Cheers,
> > Kev
> >
> > On 04/08/2010 10:55 AM, Arshad Noor wrote:
> > > Can someone from the DogTag Engineering team confirm that a PKI
> > > with only SHA-2 hashes *cannot* be built with the current version
> > > of the product?
> > >
> > > I find this hard to believe given that the RHCS documentation seems
> > > to indicate that it is possible to do so, and given that the
> > > underlying code already has SHA-2 support; nevertheless, can someone
> > > confirm Oliver's finding? Thanks.
> > >
> > > Arshad Noor
> > > StrongAuth, Inc.
> > >
> > > P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
> > > can be configured at the time the self-signed cert is created, does
> > > that imply that the commercial RHCS is technologically different from
> > > the open-source DogTag? And, that it isn't just a question of RedHat
> > > support?
> > >
> > > Oliver Burtchen wrote:
> > >> Hi @ all,
> > >>
> > >> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
> > >> editing the config files. No luck!
> > >>
> > >> I found, this is hard-coded in the sources, for example in:
> > >>
> > >> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
> > >> -
> > >> pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
> > >>
> > >> Just look for "SHA1withRSA" in the files, I don't think this are just
> > >> fallbacks.
> > >> Best regards,
> > >> Oli
> > >>
> > >> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
> > >>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
> > >>>> The only option that is visible under Advanced is the key-size
> > >>>> for each of the certificate-types. The hash algorithm does not
> > >>>> show up at all.
> > >>>>
> > >>>> Even the default, as mentioned by Step 8, is not the default as
> > >>>> the last 10-12 installs have shown:
> > >>>>
> > >>>> * SHA256withRSA (the default)
> > >>>>
> > >>>> So, the question is: is the current build of DogTag in the pki
> > >>>> repository identical to RHCS 8.0 or is it a different version?
> > >>>
> > >>> It might very well be ... we can look at the svn commits
> > >>> to be really sure...
> > >>>
> > >>>> Arshad Noor
> > >>>> StrongAuth, Inc.
> > >>>>
> > >>>> Chandrasekar Kannan wrote:
> > >>>>> the installation wizard should provide 'options' under the advanced
> > >>>>> section for you to be able to select the alg to use. Have you tried
> > >>>>> doing Step (8) from here ?
> > >>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Con
> > >>>>>fi gur
> > >>>>>
> > >>>>> ing_a_CA.html
> > >>>
> > >>> _______________________________________________
> > >>> Pki-users mailing list
> > >>> Pki-users at redhat.com
> > >>> https://www.redhat.com/mailman/listinfo/pki-users
> > >
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> 

-- 
Oliver Burtchen, Berlin