On 10/25/2012 07:07 AM, Rob Crittenden wrote:
Nalin Dahyabhai wrote:
> On Wed, Oct 24, 2012 at 04:02:53PM -0400, Rob Crittenden wrote:
>> I assume he'd have to modify a profile to do this?
>
> There are two signatures when you're talking about using a CSR to
> request a certificate from an external CA.
>
> There's the digest used for the signature that the issuer includes in
> the certificate. In Dogtag, I believe that the allowed types are
> enumerated (by a signingAlgConstraint) in the profile, and the default
> is specified (as "ca.signing.defaultSigningAlgorithm") in the CA's
> CS.cfg file.
>
> Someone please correct me if I'm looking at the wrong places there.
>
> Then there's the digest used for the self-signature that the client
> includes in the CSR. The IPA installs script uses certutil, and it
> looks like certutil uses SHA1 by default. That's fine for this user,
> but I'll note that we can apparently use certutil's (undocumented?) -Z
> flag to switch that to something like SHA256.
The CSR is generated by dogtag. I'm not sure if it forks out to
certutil or not but I'd suspect it doesn't.
Can someone from the CS team confirm that changing the
defaultSigningAlgorithm is the right thing to do here?
Andrew is correct that you can also just change the following line in
the profile (the "-" is telling the server to use the CA's default one
from the CS.cfg) so it will only affect that particular profile:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=-
to
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA
rob
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel