[Pki-users] Questions on customizing certificate profiles
Oliver Burtchen
o.burtchen at gmx.de
Fri Apr 9 00:42:31 UTC 2010
I agree with Arshad,
the /etc/<instance>/CF.cfg file is overridden, when the "Key Pairs" tab in the
wizard is processed, no matter what you say in the *.cfg or *.profiles files
before.
I will have a look at the SVN-branch like Kevin sugguests tomorrow. But I am
afraid that it does not matter. It's a pki.fedoraproject branch. I had looks
at rawhide, no difference. For example, search for "SHA1" here. It's still hard
coded:
https://pki.fedoraproject.org/svn/pki/branches/PKI_8_0_ERRATA_BRANCH/pki/base/common/src/com/netscape/cmscore/security/CASigningCert.java
BTW: There are other things which could be easily fixed, but are pending for 2
years, like my last two comments on this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=441974
Best regards,
Oli
Am Freitag, 9. April 2010 01:52:47 schrieb Arshad Noor:
> However, when I did modify the *.cfg files in the profiles/ca
> directory to customize the extensions, none of the changes were
> picked up. I've only focused on the SHA-2 issue because that
> seemed to be symptomatic of the underlying problem - but the
> real problem is that the entire certificate is not customizable
> in the installation process.
>
> Or, are you suggesting that with the fix compiled in, all the
> profile changes will get included too?
>
> Arshad Noor
> StrongAuth, Inc.
>
> Chandrasekar Kannan wrote:
> > On 04/08/2010 04:33 PM, Arshad Noor wrote:
> >> However, to follow up on the other issue - the documentation
> >> on RHBA-2009-1602 suggests that only the SHA-2 algorithm issue
> >> can be fixed. Am I still stuck with the renewal method to get
> >> the other certificate extensions fixed - the keyUsages, AIA,
> >> OCSPNoCheck, etc?
> >
> > I don't think so. You should be able to get those customized
> > by editing those profile config files in question before going
> > through the wizard. Sha-2 was a bit hard-coded IIRC , hence it
> > required code changes.
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
--
Oliver Burtchen, Berlin
More information about the Pki-users
mailing list