[Pki-users] CA/SSL certs customization
Ade Lee
alee at redhat.com
Tue Dec 15 15:45:21 UTC 2015
On Tue, 2015-12-15 at 12:43 +0100, Cho Chan wrote:
> Hello all,
>
> I am trying to build internal PKI - two levels CA (Root and
> Intermediate) with dogtag 10.1.2 on CentOS 7.1.
>
> When I use pkispawn to create the first CA (Root) the certificates
> are created with predefined validity, signature algorithm, CN name,
> X509v3 extensions and etc.
>
> I searched for options/parameters which I can use with pkispawn and
> deployment config but I manage to find only this:
> https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scr
> ipts/ca.cfg
>
> Are there such options/parameters to customize the validity, CN,
> algorithm and etc during the build process with pkispawn?
> Or if not what are my options?
>
> Maybe I have to edit the some of the cfg in /usr/share/pki/ca/conf ?
>
> Much appreciate if someone can give me hints or help!
>
> Thank you in advance!
>
> Cho
Some of the properties you are looking for are specifiable in pkispawn.
See "man pki_default.cfg" and look for the section:
SYSTEM CERTIFICATE PARAMETERS. Also, all the pkispawn parameters are
in /etc/pki/default.cfg
These parameters would include signing algorithm, subject dn, key size
etc.
As for things like validity and extensions, you will need to modify
the profiles used for the system certificates before starting pkispawn.
These files are: /usr/share/pki/ca/conf/*.profile
Ade
> _______________________________________________
> Pki-users mailing list
>
Pki-users at redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20151215/78c4f2c2/attachment.htm>
More information about the Pki-users
mailing list