[Pki-users] Questions on customizing certificate profiles

Veale, Sean sean.veale at gdc4s.com
Tue Apr 6 18:36:35 UTC 2010 

I think the original self-signed cert is created when pkicreate is run,
but the actual set of profiles used during the wizard is the *.profile
files in the /var/lib/pki-ca/conf/ folder that was mentioned

For the other subsystems (DRM, TKS, TPS, never looked at the RA or OCSP
systems) it uses the caInternalAuth*.cfg files in
/var/lib/pki-ca/profiles/ca folder for the subsystem certs (signing,
subsystem, ocsp certs ect) and the
/var/lib/pki-ca/profiles/ca/adminCert.profile for the software admin
certs loaded into your browser when running the wizards. 




-----Original Message-----
From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
On Behalf Of John Magne
Sent: Tuesday, April 06, 2010 2:13 PM
To: Arshad Noor
Cc: pki-users at redhat.com
Subject: Re: [Pki-users] Questions on customizing certificate profiles


Did you try modifying the source of the files in
/var/lib/pki-ca/conf/*.profile ??

When an instance is created, I believe the files are taken from here:

/usr/share/pki/ca/conf/*.profile


I imagine if you change the files in /var/lib/pki-ca/conf before
proceeding with the wizard, things should work. Perhaps the files are
cached into memory as soon as the instance is created and before the
wizard is executed.



----- Original Message -----
From: "Arshad Noor" <arshad.noor at strongauth.com>
To: pki-users at redhat.com
Sent: Tuesday, April 6, 2010 10:34:20 AM GMT -08:00 US/Canada Pacific
Subject: [Pki-users] Questions on customizing certificate profiles

Hi,

I thought I used to know the Certificate Server, but it appears
that so much has changed that I feel like I'm starting over again.
Hopefully, I'm the one who's making mistakes and that DogTag is
really not different from RHCS.

In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
customize the initial certificates created by the installation
process.  For example, here is what I'm doing:

1) Run "yum install pki-ca".
2) Run "pkicreate" with appropriate parameters.
3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
    files to do the following:

	- Add "default.params.signingAlg=SHA256withRSA" to the files;
	- Remove digitalSignature and nonRepudiation for CA cert;
	- Remove digitalSignature, nonRepudiation, dataEncipherment
		for Server cert;
	- Change default validity periods, etc.

Yet, none of the certificates generated by the installation process
have these changes in them.

I've tried stopping "pki-cad", copying the modified *.cfg files to
the appropriate "<instance>/profiles/ca" directory and restarting
pki-cad in case the service needed to see the modified files at
startup - but to no avail.

I've tried modifying the *.profile files in the /etc/<instance>
directory, but to no avail.

How does one customize the certificates before the self-signed cert
is generated?

I'm going through the PDF documentation for RHCS 8.0 and assuming
that the instructions there apply to DogTag too.  The version number
of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
repository.

Thanks.

Arshad Noor
StrongAuth, Inc.


_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list