[Pki-users] Questions on customizing certificate profiles

Thu Apr 8 21:54:29 UTC 2010

On 04/08/2010 02:43 PM, Arshad Noor wrote:
> Oliver,
>
> So, what you did was complete the entire process using SHA-1,
> submit an immediate renewal after modifying the profiles and
> then install the renewed certificate with SHA-2?
>
> A question for Kevin: is this going to require that all the
> certs generated through the installation process must go
> through an immediate renewal to get other custom parameters
> in them?  The certs I want have:
>
> 1) SHA-256;
> 2) Custom key-usages - not default for everything;
> 3) Custom AIA extensions - (did you know that the AIA extension
>    in the OCSP Signing certificate has a pointer to the OCSP
>    URL?  I didn't look closely, but I think it may have also
>    been missing the OCSPNoCheck extension - how could OCSP work
>    at all with these defaults?)
> 4) Custom CPS extensions;
> 5) Etc.
>
> The renewal method essentially forces us to install the PKI
> twice to get it right, 
CA installation and certificate renewal are two different processes.
> with the additional burden of performing
> renewals, approvals, replacements, etc. to get the certs right.
> If there is one tiny error in this additional process, the work
> just multiplies from there.
>
> This is not elegant at all, Kevin.
>
> Is there any priority that can be placed towards merging the RHCS
> code into DogTag and fixing this?
>
> Arshad Noor
> StrongAuth, Inc.
>
> Oliver Burtchen wrote:
>> Just for the record,
>>
>> the "renewal method" seems to work, but it is very annoying. I would 
>> be very glad to see the possibility to change the hash-alg as on 
>> option to pkicreate, in the wizard or pkisilent. This is a 
>> feature-request.  ;-)
>>
>> Best regards,
>> Oli
>>
>>
>> Am Donnerstag, 8. April 2010 22:12:40 schrieb Oliver Burtchen:
>>> Hi Kevin,
>>>
>>> thanks for making the differences plain. For me RHBA-2009-1602 is 
>>> more a
>>>  new feature, than a bug fix, but okay.  ;-)
>>>
>>> It seems that pkisilent does not offer an option to change the hash to
>>>  SHA-2, and as I wrote earlier, IMHO it is volitional hard-coded. 
>>> Most of
>>>  the rest of dogtag has code to work with SHA-2.
>>>
>>> I will give the "renewal method" a try.
>>>
>>> Best regards,
>>> Oli
>>>
>>> Am Donnerstag, 8. April 2010 20:51:14 schrieb Kevin Unthank:
>>>> Hi Arshad,
>>>>
>>>> Obviously, there are differences between RHCS8 and the latest release
>>>> of Dogtag. Generally, new feature development takes place in dogtag
>>>> and some of those features find there way back into RHCS8. Bug fixing
>>>> often occurs first in RHCS8 and those fixes are ported to dogtag.
>>>>
>>>> PKI with only SHA-2 hashes is a fix that was made in the RHCS8
>>>> code tree and released in both source binary form in errata
>>>> RHBA-2009-1602. That fix will make it into dogtag builds but I can't
>>>> commit to a specific release or date when this will happen.
>>>>
>>>> Until then it should be possible to work around the problem by using
>>>> pkisilent or the renewal method suggested by Andrew.
>>>>
>>>> Cheers,
>>>> Kev
>>>>
>>>> On 04/08/2010 10:55 AM, Arshad Noor wrote:
>>>>> Can someone from the DogTag Engineering team confirm that a PKI
>>>>> with only SHA-2 hashes *cannot* be built with the current version
>>>>> of the product?
>>>>>
>>>>> I find this hard to believe given that the RHCS documentation seems
>>>>> to indicate that it is possible to do so, and given that the
>>>>> underlying code already has SHA-2 support; nevertheless, can someone
>>>>> confirm Oliver's finding? Thanks.
>>>>>
>>>>> Arshad Noor
>>>>> StrongAuth, Inc.
>>>>>
>>>>> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
>>>>> can be configured at the time the self-signed cert is created, does
>>>>> that imply that the commercial RHCS is technologically different from
>>>>> the open-source DogTag? And, that it isn't just a question of RedHat
>>>>> support?
>>>>>
>>>>> Oliver Burtchen wrote:
>>>>>> Hi @ all,
>>>>>>
>>>>>> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
>>>>>> editing the config files. No luck!
>>>>>>
>>>>>> I found, this is hard-coded in the sources, for example in:
>>>>>>
>>>>>> - 
>>>>>> pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
>>>>>> -
>>>>>> pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java 
>>>>>>
>>>>>>
>>>>>> Just look for "SHA1withRSA" in the files, I don't think this are 
>>>>>> just
>>>>>> fallbacks.
>>>>>> Best regards,
>>>>>> Oli
>>>>>>
>>>>>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>>>>>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>>>>>>> The only option that is visible under Advanced is the key-size
>>>>>>>> for each of the certificate-types. The hash algorithm does not
>>>>>>>> show up at all.
>>>>>>>>
>>>>>>>> Even the default, as mentioned by Step 8, is not the default as
>>>>>>>> the last 10-12 installs have shown:
>>>>>>>>
>>>>>>>> * SHA256withRSA (the default)
>>>>>>>>
>>>>>>>> So, the question is: is the current build of DogTag in the pki
>>>>>>>> repository identical to RHCS 8.0 or is it a different version?
>>>>>>> It might very well be ... we can look at the svn commits
>>>>>>> to be really sure...
>>>>>>>
>>>>>>>> Arshad Noor
>>>>>>>> StrongAuth, Inc.
>>>>>>>>
>>>>>>>> Chandrasekar Kannan wrote:
>>>>>>>>> the installation wizard should provide 'options' under the 
>>>>>>>>> advanced
>>>>>>>>> section for you to be able to select the alg to use. Have you 
>>>>>>>>> tried
>>>>>>>>> doing Step (8) from here ?
>>>>>>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Con 
>>>>>>>>>
>>>>>>>>> fi gur
>>>>>>>>>
>>>>>>>>> ing_a_CA.html
>>>>>>> _______________________________________________
>>>>>>> Pki-users mailing list
>>>>>>> Pki-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users