Does this also changes the value of "Subject Key Identifier" and "Auth
Key Identifier" extensions?
I am getting inconsistent results, but not sure if the algorithm should
be same as the one used to sign the certificate.
- dhiva
On 10/24/12 2:09 PM, Andrew Wnuk wrote:
On 10/24/2012 01:38 PM, Nalin Dahyabhai wrote:
> On Wed, Oct 24, 2012 at 04:02:53PM -0400, Rob Crittenden wrote:
>> I assume he'd have to modify a profile to do this?
> There are two signatures when you're talking about using a CSR to
> request a certificate from an external CA.
>
> There's the digest used for the signature that the issuer includes in
> the certificate. In Dogtag, I believe that the allowed types are
> enumerated (by a signingAlgConstraint) in the profile, and the default
> is specified (as "ca.signing.defaultSigningAlgorithm") in the CA's
> CS.cfg file.
You can also specify default signing algorithm in the profile without
changing CA's default signing algorithm.
IPA's profile could but it does not specify default signing algorithm.
See caIPAserviceCert.cfg:
policyset.serverCertSet.8.default.params.signingAlg=-
To specify default signing algorithm in the IPA profile, modify above
line by including signing algorithm from the constraint list.
See caIPAserviceCert.cfg:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=. . .
>
> Someone please correct me if I'm looking at the wrong places there.
>
> Then there's the digest used for the self-signature that the client
> includes in the CSR. The IPA installs script uses certutil, and it
> looks like certutil uses SHA1 by default. That's fine for this user,
> but I'll note that we can apparently use certutil's (undocumented?) -Z
> flag to switch that to something like SHA256.
>
> HTH,
>
> Nalin
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel