[Pki-users] Questions on customizing certificate profiles

Oliver Burtchen o.burtchen at gmx.de
Thu Apr 8 23:26:30 UTC 2010 

Hi @ all,

yes, I followed the "normal" installation, than did a renewal like Andrew 
suggested and installed this cert via pkiconsole.

And I also know the difference between CA installation and certificate renewal, 
this is what we are talking about. I did this only to get SHA-2 certificates, 
what is currently IMHO not possible with the normal installation of dogtag.

Best regards,
Oli


Am Donnerstag, 8. April 2010 23:43:22 schrieb Arshad Noor:
> Oliver,
> 
> So, what you did was complete the entire process using SHA-1,
> submit an immediate renewal after modifying the profiles and
> then install the renewed certificate with SHA-2?
> 
> A question for Kevin: is this going to require that all the
> certs generated through the installation process must go
> through an immediate renewal to get other custom parameters
> in them?  The certs I want have:
> 
> 1) SHA-256;
> 2) Custom key-usages - not default for everything;
> 3) Custom AIA extensions - (did you know that the AIA extension
>     in the OCSP Signing certificate has a pointer to the OCSP
>     URL?  I didn't look closely, but I think it may have also
>     been missing the OCSPNoCheck extension - how could OCSP work
>     at all with these defaults?)
> 4) Custom CPS extensions;
> 5) Etc.
> 
> The renewal method essentially forces us to install the PKI
> twice to get it right, with the additional burden of performing
> renewals, approvals, replacements, etc. to get the certs right.
> If there is one tiny error in this additional process, the work
> just multiplies from there.
> 
> This is not elegant at all, Kevin.
> 
> Is there any priority that can be placed towards merging the RHCS
> code into DogTag and fixing this?
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> Oliver Burtchen wrote:
> > Just for the record,
> >
> > the "renewal method" seems to work, but it is very annoying. I would be
> > very glad to see the possibility to change the hash-alg as on option to
> > pkicreate, in the wizard or pkisilent. This is a feature-request.  ;-)
> >
> > Best regards,
> > Oli
> >
> > Am Donnerstag, 8. April 2010 22:12:40 schrieb Oliver Burtchen:
> >> Hi Kevin,
> >>
> >> thanks for making the differences plain. For me RHBA-2009-1602 is more a
> >>  new feature, than a bug fix, but okay.  ;-)
> >>
> >> It seems that pkisilent does not offer an option to change the hash to
> >>  SHA-2, and as I wrote earlier, IMHO it is volitional hard-coded. Most
> >> of the rest of dogtag has code to work with SHA-2.
> >>
> >> I will give the "renewal method" a try.
> >>
> >> Best regards,
> >> Oli
> >>
> >> Am Donnerstag, 8. April 2010 20:51:14 schrieb Kevin Unthank:
> >>> Hi Arshad,
> >>>
> >>> Obviously, there are differences between RHCS8 and the latest release
> >>> of Dogtag. Generally, new feature development takes place in dogtag
> >>> and some of those features find there way back into RHCS8. Bug fixing
> >>> often occurs first in RHCS8 and those fixes are ported to dogtag.
> >>>
> >>> PKI with only SHA-2 hashes is a fix that was made in the RHCS8
> >>> code tree and released in both source binary form in errata
> >>> RHBA-2009-1602. That fix will make it into dogtag builds but I can't
> >>> commit to a specific release or date when this will happen.
> >>>
> >>> Until then it should be possible to work around the problem by using
> >>> pkisilent or the renewal method suggested by Andrew.
> >>>
> >>> Cheers,
> >>> Kev
> >>>
> >>> On 04/08/2010 10:55 AM, Arshad Noor wrote:
> >>>> Can someone from the DogTag Engineering team confirm that a PKI
> >>>> with only SHA-2 hashes *cannot* be built with the current version
> >>>> of the product?
> >>>>
> >>>> I find this hard to believe given that the RHCS documentation seems
> >>>> to indicate that it is possible to do so, and given that the
> >>>> underlying code already has SHA-2 support; nevertheless, can someone
> >>>> confirm Oliver's finding? Thanks.
> >>>>
> >>>> Arshad Noor
> >>>> StrongAuth, Inc.
> >>>>
> >>>> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
> >>>> can be configured at the time the self-signed cert is created, does
> >>>> that imply that the commercial RHCS is technologically different from
> >>>> the open-source DogTag? And, that it isn't just a question of RedHat
> >>>> support?
> >>>>
> >>>> Oliver Burtchen wrote:
> >>>>> Hi @ all,
> >>>>>
> >>>>> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
> >>>>> editing the config files. No luck!
> >>>>>
> >>>>> I found, this is hard-coded in the sources, for example in:
> >>>>>
> >>>>> -
> >>>>> pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
> >>>>> -
> >>>>> pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.jav
> >>>>>a
> >>>>>
> >>>>> Just look for "SHA1withRSA" in the files, I don't think this are just
> >>>>> fallbacks.
> >>>>> Best regards,
> >>>>> Oli
> >>>>>
> >>>>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
> >>>>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
> >>>>>>> The only option that is visible under Advanced is the key-size
> >>>>>>> for each of the certificate-types. The hash algorithm does not
> >>>>>>> show up at all.
> >>>>>>>
> >>>>>>> Even the default, as mentioned by Step 8, is not the default as
> >>>>>>> the last 10-12 installs have shown:
> >>>>>>>
> >>>>>>> * SHA256withRSA (the default)
> >>>>>>>
> >>>>>>> So, the question is: is the current build of DogTag in the pki
> >>>>>>> repository identical to RHCS 8.0 or is it a different version?
> >>>>>>
> >>>>>> It might very well be ... we can look at the svn commits
> >>>>>> to be really sure...
> >>>>>>
> >>>>>>> Arshad Noor
> >>>>>>> StrongAuth, Inc.
> >>>>>>>
> >>>>>>> Chandrasekar Kannan wrote:
> >>>>>>>> the installation wizard should provide 'options' under the
> >>>>>>>> advanced section for you to be able to select the alg to use. Have
> >>>>>>>> you tried doing Step (8) from here ?
> >>>>>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Co
> >>>>>>>>n fi gur
> >>>>>>>>
> >>>>>>>> ing_a_CA.html
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Pki-users mailing list
> >>>>>> Pki-users at redhat.com
> >>>>>> https://www.redhat.com/mailman/listinfo/pki-users
> >>>>
> >>>> _______________________________________________
> >>>> Pki-users mailing list
> >>>> Pki-users at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/pki-users
> >>>
> >>> _______________________________________________
> >>> Pki-users mailing list
> >>> Pki-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/pki-users
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
> 

-- 
Oliver Burtchen, Berlin

More information about the Pki-users mailing list