Hi Kevin,
thanks for making the differences plain. For me RHBA-2009-1602 is more a new
feature, than a bug fix, but okay. ;-)
It seems that pkisilent does not offer an option to change the hash to SHA-2,
and as I wrote earlier, IMHO it is volitional hard-coded. Most of the rest of
dogtag has code to work with SHA-2.
I will give the "renewal method" a try.
Best regards,
Oli
Am Donnerstag, 8. April 2010 20:51:14 schrieb Kevin Unthank:
Hi Arshad,
Obviously, there are differences between RHCS8 and the latest release
of Dogtag. Generally, new feature development takes place in dogtag
and some of those features find there way back into RHCS8. Bug fixing
often occurs first in RHCS8 and those fixes are ported to dogtag.
PKI with only SHA-2 hashes is a fix that was made in the RHCS8
code tree and released in both source binary form in errata
RHBA-2009-1602. That fix will make it into dogtag builds but I can't
commit to a specific release or date when this will happen.
Until then it should be possible to work around the problem by using
pkisilent or the renewal method suggested by Andrew.
Cheers,
Kev
On 04/08/2010 10:55 AM, Arshad Noor wrote:
> Can someone from the DogTag Engineering team confirm that a PKI
> with only SHA-2 hashes *cannot* be built with the current version
> of the product?
>
> I find this hard to believe given that the RHCS documentation seems
> to indicate that it is possible to do so, and given that the
> underlying code already has SHA-2 support; nevertheless, can someone
> confirm Oliver's finding? Thanks.
>
> Arshad Noor
> StrongAuth, Inc.
>
> P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
> can be configured at the time the self-signed cert is created, does
> that imply that the commercial RHCS is technologically different from
> the open-source DogTag? And, that it isn't just a question of RedHat
> support?
>
> Oliver Burtchen wrote:
>> Hi @ all,
>>
>> I also tried to change from "SHA1withRSA" to "SHA256withRSA"
by
>> editing the config files. No luck!
>>
>> I found, this is hard-coded in the sources, for example in:
>>
>> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
>> - pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
>>
>> Just look for "SHA1withRSA" in the files, I don't think this are
just
>> fallbacks.
>> Best regards,
>> Oli
>>
>> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
>>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
>>>> The only option that is visible under Advanced is the key-size
>>>> for each of the certificate-types. The hash algorithm does not
>>>> show up at all.
>>>>
>>>> Even the default, as mentioned by Step 8, is not the default as
>>>> the last 10-12 installs have shown:
>>>>
>>>> * SHA256withRSA (the default)
>>>>
>>>> So, the question is: is the current build of DogTag in the pki
>>>> repository identical to RHCS 8.0 or is it a different version?
>>>
>>> It might very well be ... we can look at the svn commits
>>> to be really sure...
>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>>
>>>> Chandrasekar Kannan wrote:
>>>>> the installation wizard should provide 'options' under the
advanced
>>>>> section for you to be able to select the alg to use. Have you tried
>>>>> doing Step (8) from here ?
>>>>>
http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Confi
>>>>>gur
>>>>>
>>>>> ing_a_CA.html
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users