[Pki-users] Questions on customizing certificate profiles

Kevin Unthank kevinu at redhat.com
Thu Apr 8 23:09:23 UTC 2010 

Hi Arshad,

We most certainly have not forgotten our open-source roots.

In response to customer demand for this SHA2 functionality, Red Hat
engineers implemented it and released it as an enhancement  errata
for RHCS8. At the very same time, the source code for that
enhancement was made available, freely, to everyone in the dogtag
community.

You can checkout that codewith SVN
svn co https://pki.fedoraproject.org/svn/pki/branches/PKI_8_0_ERRATA_BRANCH
Merge it with the dogtag source and compile your own dogtag
packages with the desired functionality.

As I stated in my earlier response we absolutely intend to
take the code from the open-source CS8 branch, and add it to the
open-source dogtag tip but that work has not been scheduled yet.
I will see if I can get the priority bumped up.

I strongly encourage you to create your own dogtag build
environment so you can get access to the latest code checkins.
There are instructions for doing this on the dogtag wiki and
I know some of the community members have already done this.

There is no manipulation of the trust and goodwill of the
open-source community going on here.

Cheers,
Kev

On 04/08/2010 03:25 PM, Arshad Noor wrote:
> I am sorry to read this, Kevin.  It suggests that RedHat has
> forgotten its open-source roots and what made it a billion
> dollar company in the first place.
>
> We are all familiar with the **** that companies put up with
> when buying some commercial products. Open-source was meant
> to be an answer to that problem - that quality could be vastly
> improved in software when there were many eyes looking at the
> source - not because some people just like the idea of seeing
> the source-code of the products they use.
>
> That RedHat was making money on services off of open-source
> products was perfectly acceptable - there is real value in
> services. But, when the open-source company starts
> differentiating its open-source products from its commercial
> products, it subverts the whole notion of open-source and what
> it stands for.
>
> If the fix did not exist and it was up to the open-source
> community to prioritize the fix, that's one thing. But when
> the fix *does* exist, and has been merged into the commercial
> branch, but is not merged into the open-source branch - that
> suggests deliberate manipulation of the trust and goodwill of
> the open-source community.
>
> Arshad Noor
> StrongAuth, Inc.
>
>
> Kevin Unthank wrote:
>> Hi Arshad,
>>
>> Obviously, there are differences between RHCS8 and the latest release
>> of Dogtag. Generally, new feature development takes place in dogtag
>> and some of those features find there way back into RHCS8. Bug fixing
>> often occurs first in RHCS8 and those fixes are ported to dogtag.
>>
>> PKI with only SHA-2 hashes is a fix that was made in the RHCS8
>> code tree and released in both source binary form in errata
>> RHBA-2009-1602. That fix will make it into dogtag builds but I can't
>> commit to a specific release or date when this will happen.
>>
>> Until then it should be possible to work around the problem by using
>> pkisilent or the renewal method suggested by Andrew.
>>
>> Cheers,
>> Kev
>>
>> On 04/08/2010 10:55 AM, Arshad Noor wrote:
>>> Can someone from the DogTag Engineering team confirm that a PKI
>>> with only SHA-2 hashes *cannot* be built with the current version
>>> of the product?
>>>
>>> I find this hard to believe given that the RHCS documentation seems
>>> to indicate that it is possible to do so, and given that the
>>> underlying code already has SHA-2 support; nevertheless, can someone
>>> confirm Oliver's finding? Thanks.
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>>
>>> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
>>> can be configured at the time the self-signed cert is created, does
>>> that imply that the commercial RHCS is technologically different from
>>> the open-source DogTag? And, that it isn't just a question of RedHat
>>> support?
>>>
>>>
>>> Oliver Burtchen wrote:
>>>> Hi @ all,
>>>>
>>>> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
>>>> editing the config files. No luck!
>>>>
>>>> I found, this is hard-coded in the sources, for example in:
>>>>
>>>> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
>>>> -
>>>> pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
>>>>
>>>> Just look for "SHA1withRSA" in the files, I don't think this are just
>>>> fallbacks.
>>>> Best regards,
>>>> Oli
>>>>
>>>>
>>>>
>>>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>>>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>>>>> The only option that is visible under Advanced is the key-size
>>>>>> for each of the certificate-types. The hash algorithm does not
>>>>>> show up at all.
>>>>>>
>>>>>> Even the default, as mentioned by Step 8, is not the default as
>>>>>> the last 10-12 installs have shown:
>>>>>>
>>>>>> * SHA256withRSA (the default)
>>>>>>
>>>>>> So, the question is: is the current build of DogTag in the pki
>>>>>> repository identical to RHCS 8.0 or is it a different version?
>>>>> It might very well be ... we can look at the svn commits
>>>>> to be really sure...
>>>>>
>>>>>> Arshad Noor
>>>>>> StrongAuth, Inc.
>>>>>>
>>>>>> Chandrasekar Kannan wrote:
>>>>>>> the installation wizard should provide 'options' under the advanced
>>>>>>> section for you to be able to select the alg to use. Have you tried
>>>>>>> doing Step (8) from here ?
>>>>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configur
>>>>>>>
>>>>>>>
>>>>>>> ing_a_CA.html
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list