[Pki-users] Questions on customizing certificate profiles

Thu Apr 8 23:33:36 UTC 2010

I will give this a shot, Kevin - although I wonder how much
time it will take to get the Build environment right to get
through all the compiles vs. doing a "renewal" of the certs.

However, to follow up on the other issue - the documentation
on RHBA-2009-1602 suggests that only the SHA-2 algorithm issue
can be fixed.  Am I still stuck with the renewal method to get
the other certificate extensions fixed - the keyUsages, AIA,
OCSPNoCheck, etc?

Arshad Noor
StrongAuth, Inc.

Kevin Unthank wrote:
> Hi Arshad,
> 
> We most certainly have not forgotten our open-source roots.
> 
> In response to customer demand for this SHA2 functionality, Red Hat
> engineers implemented it and released it as an enhancement  errata
> for RHCS8. At the very same time, the source code for that
> enhancement was made available, freely, to everyone in the dogtag
> community.
> 
> You can checkout that codewith SVN
> svn co https://pki.fedoraproject.org/svn/pki/branches/PKI_8_0_ERRATA_BRANCH
> Merge it with the dogtag source and compile your own dogtag
> packages with the desired functionality.
> 
> As I stated in my earlier response we absolutely intend to
> take the code from the open-source CS8 branch, and add it to the
> open-source dogtag tip but that work has not been scheduled yet.
> I will see if I can get the priority bumped up.
> 
> I strongly encourage you to create your own dogtag build
> environment so you can get access to the latest code checkins.
> There are instructions for doing this on the dogtag wiki and
> I know some of the community members have already done this.
> 
> There is no manipulation of the trust and goodwill of the
> open-source community going on here.
> 
> Cheers,
> Kev
> 
> On 04/08/2010 03:25 PM, Arshad Noor wrote:
>> I am sorry to read this, Kevin.  It suggests that RedHat has
>> forgotten its open-source roots and what made it a billion
>> dollar company in the first place.
>>
>> We are all familiar with the **** that companies put up with
>> when buying some commercial products. Open-source was meant
>> to be an answer to that problem - that quality could be vastly
>> improved in software when there were many eyes looking at the
>> source - not because some people just like the idea of seeing
>> the source-code of the products they use.
>>
>> That RedHat was making money on services off of open-source
>> products was perfectly acceptable - there is real value in
>> services. But, when the open-source company starts
>> differentiating its open-source products from its commercial
>> products, it subverts the whole notion of open-source and what
>> it stands for.
>>
>> If the fix did not exist and it was up to the open-source
>> community to prioritize the fix, that's one thing. But when
>> the fix *does* exist, and has been merged into the commercial
>> branch, but is not merged into the open-source branch - that
>> suggests deliberate manipulation of the trust and goodwill of
>> the open-source community.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>>
>> Kevin Unthank wrote:
>>> Hi Arshad,
>>>
>>> Obviously, there are differences between RHCS8 and the latest release
>>> of Dogtag. Generally, new feature development takes place in dogtag
>>> and some of those features find there way back into RHCS8. Bug fixing
>>> often occurs first in RHCS8 and those fixes are ported to dogtag.
>>>
>>> PKI with only SHA-2 hashes is a fix that was made in the RHCS8
>>> code tree and released in both source binary form in errata
>>> RHBA-2009-1602. That fix will make it into dogtag builds but I can't
>>> commit to a specific release or date when this will happen.
>>>
>>> Until then it should be possible to work around the problem by using
>>> pkisilent or the renewal method suggested by Andrew.
>>>
>>> Cheers,
>>> Kev
>>>
>>> On 04/08/2010 10:55 AM, Arshad Noor wrote:
>>>> Can someone from the DogTag Engineering team confirm that a PKI
>>>> with only SHA-2 hashes *cannot* be built with the current version
>>>> of the product?
>>>>
>>>> I find this hard to believe given that the RHCS documentation seems
>>>> to indicate that it is possible to do so, and given that the
>>>> underlying code already has SHA-2 support; nevertheless, can someone
>>>> confirm Oliver's finding? Thanks.
>>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>>
>>>> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
>>>> can be configured at the time the self-signed cert is created, does
>>>> that imply that the commercial RHCS is technologically different from
>>>> the open-source DogTag? And, that it isn't just a question of RedHat
>>>> support?
>>>>
>>>>
>>>> Oliver Burtchen wrote:
>>>>> Hi @ all,
>>>>>
>>>>> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
>>>>> editing the config files. No luck!
>>>>>
>>>>> I found, this is hard-coded in the sources, for example in:
>>>>>
>>>>> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
>>>>> -
>>>>> pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
>>>>>
>>>>> Just look for "SHA1withRSA" in the files, I don't think this are just
>>>>> fallbacks.
>>>>> Best regards,
>>>>> Oli
>>>>>
>>>>>
>>>>>
>>>>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>>>>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>>>>>> The only option that is visible under Advanced is the key-size
>>>>>>> for each of the certificate-types. The hash algorithm does not
>>>>>>> show up at all.
>>>>>>>
>>>>>>> Even the default, as mentioned by Step 8, is not the default as
>>>>>>> the last 10-12 installs have shown:
>>>>>>>
>>>>>>> * SHA256withRSA (the default)
>>>>>>>
>>>>>>> So, the question is: is the current build of DogTag in the pki
>>>>>>> repository identical to RHCS 8.0 or is it a different version?
>>>>>> It might very well be ... we can look at the svn commits
>>>>>> to be really sure...
>>>>>>
>>>>>>> Arshad Noor
>>>>>>> StrongAuth, Inc.
>>>>>>>
>>>>>>> Chandrasekar Kannan wrote:
>>>>>>>> the installation wizard should provide 'options' under the advanced
>>>>>>>> section for you to be able to select the alg to use. Have you tried
>>>>>>>> doing Step (8) from here ?
>>>>>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configur 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ing_a_CA.html
>>>>>> _______________________________________________
>>>>>> Pki-users mailing list
>>>>>> Pki-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users