[Pki-users] Update CA name "CA Signing Certificate" to a more meaninful name

Ade Lee alee at redhat.com
Sun Aug 17 20:33:39 UTC 2014


pkispawn takes a config file which can be used to override any parameter
in default.cfg.  Any parameter in this file will be used instead of the
value in default.cfg.  Any value not specified will take the default in
default.cfg.

The option is "pkispawn -f myconfig.cfg"

See man pkispawn and man pki_default.cfg for details and examples.

An example file would look something like:

[DEFAULT]
pki_admin_password=password123
pki_client_pkcs12_password=password123
pki_ds_password=password123

[CA]
pki_ca_signing_subject_dn=cn=<foo signing cert>,o=%(pki_security_domain_name)s


On Sat, 2014-08-16 at 14:22 -0700, Marc Sauton wrote:
> On 08/16/2014 12:28 PM, Ricardo Alexander Alexander Perez Ricardez wrote:
> > Hi, I create a CA in Interactive way, with default values:
> >
> > pkispawn use this file: etc/pki/default.cfg
> >
> > This file contains the value: pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
> >
> > Therefore, the CA is created with the default value: "CA Signing Certificate"
> >
> > I would change this to a more meaningful name, It’s possible update or change the name “CA Signing Certificate” to a new value name?
> >
> > pkispawn use argument -u "update instance of specified subsystem", It's possible to update the value using this option?
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> It is in fact highly recommended to customize all the subject names, and 
> HTML pages if used.
> 
> cp -p /usr/share/pki/ca/conf/CS.cfg /usr/share/pki/ca/conf/CS.cfg.orig
> vim /usr/share/pki/ca/conf/CS.cfg
> ...
> preop.cert.signing.userfriendlyname=testms CA Signing Certificate
> preop.cert.audit_signing.userfriendlyname=testms CA Audit Signing 
> Certificate
> preop.cert.ocsp_signing.userfriendlyname=testms OCSP Signing Certificate
> preop.cert.sslserver.userfriendlyname=testms SSL Server Certificate
> preop.cert.subsystem.userfriendlyname=testms Subsystem Certificate
> ...
> 
> The u option of pkispawn was removed.
> There is now a tool called pki-upgrade to update those config files or 
> template when there is a package update or a manual change, so the 
> existing instances can get the newer config files.
> But in this case, the certificates need to be re-issued, so it is more a 
> change before creating a CA instance.
> 
> Thanks,
> M.
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users





More information about the Pki-users mailing list