[Pki-users] Questions on customizing certificate profiles

Arshad Noor arshad.noor at strongauth.com
Tue Apr 6 23:28:33 UTC 2010 

Its a possibility it could work, Andrew, but it seems like a
rather convoluted way to get a straightforward task done.  I
fear for the issues that I might run into with that process.

Am I the only one who is building a PKI with DogTag without
the use of SHA1?  Seems hard to comprehend given that NIST has
recommended for the last 2 years that all new implementations
avoid SHA1, and to not use it starting Jan 2011.

Arshad Noor
StrongAuth, Inc.


Andrew Wnuk wrote:
> Arshad,
> 
> You could try renewal called "Renew certificate to be manually approved 
> by agents". Customize your certificate using agent approval page and 
> import new certificate to NSS-DB.
> 
> Andrew
> 
> On 04/06/10 10:34, Arshad Noor wrote:
>> Hi,
>>
>> I thought I used to know the Certificate Server, but it appears
>> that so much has changed that I feel like I'm starting over again.
>> Hopefully, I'm the one who's making mistakes and that DogTag is
>> really not different from RHCS.
>>
>> In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
>> customize the initial certificates created by the installation
>> process.  For example, here is what I'm doing:
>>
>> 1) Run "yum install pki-ca".
>> 2) Run "pkicreate" with appropriate parameters.
>> 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
>>    files to do the following:
>>
>>     - Add "default.params.signingAlg=SHA256withRSA" to the files;
>>     - Remove digitalSignature and nonRepudiation for CA cert;
>>     - Remove digitalSignature, nonRepudiation, dataEncipherment
>>         for Server cert;
>>     - Change default validity periods, etc.
>>
>> Yet, none of the certificates generated by the installation process
>> have these changes in them.
>>
>> I've tried stopping "pki-cad", copying the modified *.cfg files to
>> the appropriate "<instance>/profiles/ca" directory and restarting
>> pki-cad in case the service needed to see the modified files at
>> startup - but to no avail.
>>
>> I've tried modifying the *.profile files in the /etc/<instance>
>> directory, but to no avail.
>>
>> How does one customize the certificates before the self-signed cert
>> is generated?
>>
>> I'm going through the PDF documentation for RHCS 8.0 and assuming
>> that the instructions there apply to DogTag too.  The version number
>> of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
>> repository.
>>
>> Thanks.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list