[Pki-users] Questions on customizing certificate profiles
Arshad Noor
arshad.noor at strongauth.com
Thu Apr 8 21:43:22 UTC 2010
Oliver,
So, what you did was complete the entire process using SHA-1,
submit an immediate renewal after modifying the profiles and
then install the renewed certificate with SHA-2?
A question for Kevin: is this going to require that all the
certs generated through the installation process must go
through an immediate renewal to get other custom parameters
in them? The certs I want have:
1) SHA-256;
2) Custom key-usages - not default for everything;
3) Custom AIA extensions - (did you know that the AIA extension
in the OCSP Signing certificate has a pointer to the OCSP
URL? I didn't look closely, but I think it may have also
been missing the OCSPNoCheck extension - how could OCSP work
at all with these defaults?)
4) Custom CPS extensions;
5) Etc.
The renewal method essentially forces us to install the PKI
twice to get it right, with the additional burden of performing
renewals, approvals, replacements, etc. to get the certs right.
If there is one tiny error in this additional process, the work
just multiplies from there.
This is not elegant at all, Kevin.
Is there any priority that can be placed towards merging the RHCS
code into DogTag and fixing this?
Arshad Noor
StrongAuth, Inc.
Oliver Burtchen wrote:
> Just for the record,
>
> the "renewal method" seems to work, but it is very annoying. I would be very
> glad to see the possibility to change the hash-alg as on option to pkicreate,
> in the wizard or pkisilent. This is a feature-request. ;-)
>
> Best regards,
> Oli
>
>
> Am Donnerstag, 8. April 2010 22:12:40 schrieb Oliver Burtchen:
>> Hi Kevin,
>>
>> thanks for making the differences plain. For me RHBA-2009-1602 is more a
>> new feature, than a bug fix, but okay. ;-)
>>
>> It seems that pkisilent does not offer an option to change the hash to
>> SHA-2, and as I wrote earlier, IMHO it is volitional hard-coded. Most of
>> the rest of dogtag has code to work with SHA-2.
>>
>> I will give the "renewal method" a try.
>>
>> Best regards,
>> Oli
>>
>> Am Donnerstag, 8. April 2010 20:51:14 schrieb Kevin Unthank:
>>> Hi Arshad,
>>>
>>> Obviously, there are differences between RHCS8 and the latest release
>>> of Dogtag. Generally, new feature development takes place in dogtag
>>> and some of those features find there way back into RHCS8. Bug fixing
>>> often occurs first in RHCS8 and those fixes are ported to dogtag.
>>>
>>> PKI with only SHA-2 hashes is a fix that was made in the RHCS8
>>> code tree and released in both source binary form in errata
>>> RHBA-2009-1602. That fix will make it into dogtag builds but I can't
>>> commit to a specific release or date when this will happen.
>>>
>>> Until then it should be possible to work around the problem by using
>>> pkisilent or the renewal method suggested by Andrew.
>>>
>>> Cheers,
>>> Kev
>>>
>>> On 04/08/2010 10:55 AM, Arshad Noor wrote:
>>>> Can someone from the DogTag Engineering team confirm that a PKI
>>>> with only SHA-2 hashes *cannot* be built with the current version
>>>> of the product?
>>>>
>>>> I find this hard to believe given that the RHCS documentation seems
>>>> to indicate that it is possible to do so, and given that the
>>>> underlying code already has SHA-2 support; nevertheless, can someone
>>>> confirm Oliver's finding? Thanks.
>>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>>
>>>> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
>>>> can be configured at the time the self-signed cert is created, does
>>>> that imply that the commercial RHCS is technologically different from
>>>> the open-source DogTag? And, that it isn't just a question of RedHat
>>>> support?
>>>>
>>>> Oliver Burtchen wrote:
>>>>> Hi @ all,
>>>>>
>>>>> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
>>>>> editing the config files. No luck!
>>>>>
>>>>> I found, this is hard-coded in the sources, for example in:
>>>>>
>>>>> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
>>>>> -
>>>>> pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
>>>>>
>>>>> Just look for "SHA1withRSA" in the files, I don't think this are just
>>>>> fallbacks.
>>>>> Best regards,
>>>>> Oli
>>>>>
>>>>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>>>>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>>>>>> The only option that is visible under Advanced is the key-size
>>>>>>> for each of the certificate-types. The hash algorithm does not
>>>>>>> show up at all.
>>>>>>>
>>>>>>> Even the default, as mentioned by Step 8, is not the default as
>>>>>>> the last 10-12 installs have shown:
>>>>>>>
>>>>>>> * SHA256withRSA (the default)
>>>>>>>
>>>>>>> So, the question is: is the current build of DogTag in the pki
>>>>>>> repository identical to RHCS 8.0 or is it a different version?
>>>>>> It might very well be ... we can look at the svn commits
>>>>>> to be really sure...
>>>>>>
>>>>>>> Arshad Noor
>>>>>>> StrongAuth, Inc.
>>>>>>>
>>>>>>> Chandrasekar Kannan wrote:
>>>>>>>> the installation wizard should provide 'options' under the advanced
>>>>>>>> section for you to be able to select the alg to use. Have you tried
>>>>>>>> doing Step (8) from here ?
>>>>>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Con
>>>>>>>> fi gur
>>>>>>>>
>>>>>>>> ing_a_CA.html
>>>>>> _______________________________________________
>>>>>> Pki-users mailing list
>>>>>> Pki-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list