2:22 a.m.
Hi all,
Is there some documentation somewhere about how to set up /
configure a CA subsystem such that it can sign requests with DSA
rather than RSA?
I guess that you need to spawn an instance with a DSA signing key or
somehow configure one after the spawning, but I'm not sure how to do
this.
Cheers,
Fraser
7:04 p.m.
Hi Fraser,
The CA does not need to be DSA. It can be RSA and sign a DSA cert for
you. You just need to generate a CSR with DSA key.
For example, you can use certutil to generate a DSA CSR:
# certutil -d . -R -k dsa -s "CN=cfuTestDSA" -a -o cfuDSA.req.b64
# cat cfuDSA.req.b64
MIICFjCCAdYCAQAwFTETMBEGA1UEAxMKY2Z1VGVzdERTQTCCAbYwggErBgcqhkjO
OAQBMIIBHgKBgQCY7zqucJibRNs1hsG2wkd8tP+Z6K5E8uvDviMPZdBMBIKQp51K
yJN/Qd/4gGsLaH+v5Ki1spnDafs/5xvQD6l6SgS/UJ4iM7iJUyQQ+Wh3ra8QaLjT
aF2jw+tyO6ALc2XF0fqMwH2qUik0RAG/EiX+GArIP8FgSNutk7ZhZ9eoLQIVALWw
hItEKfYzWaE8vtJ/NaF2JwOBAoGABA6DafHNfeUMeJPWSW8ABE4ObDeqOCJH0ljs
gxKV+Zzx9Cf/15lXNcZkTMBHEjFQgjwqBwMB7zAJiYJBdnHanleLdjg3X6XNMoRF
jUwXVCtdwmu6PqB7ldcAQvcIuIOHYOHl9BpUwiDaODrRthD0yzXal5KH1qU3YrST
ShUhpRADgYQAAoGAKDm/ww3NZTM+Npdc1WnZZlebT78BcKQVUfMMHvqG+TJRrkjZ
RwhUKeNoYeRxPt0bJ8QUtRDG/ihQ+mH22bOJkhogXuf/GdGbKTRjInnXho6NEaQo
sSY3CJ/865RXvPXDBleYoF1WzAntEQtWY+9/uSGZD20uubrKUopNioNTD86gADAJ
BgcqhkjOOAQDAy8AMCwCFD59mJXc3EnJWY8N66DhCoKeg8yGAhQpYqFI14WFTk39
CXfwXSsLE5qSfw==
Paste that into "Other Certificate Enrollment" at the CA EE page, submit
Go to CA agent and approve it and I see:
<snip>
Subject Public Key Info:
Algorithm: DSA - 1.2.840.10040.4.1
<snip>
Hope this helps,
Christina
On 09/11/2014 12:22 AM, Fraser Tweedale wrote:
Hi all,
Is there some documentation somewhere about how to set up /
configure a CA subsystem such that it can sign requests with DSA
rather than RSA?
I guess that you need to spawn an instance with a DSA signing key or
somehow configure one after the spawning, but I'm not sure how to do
this.
Cheers,
Fraser
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
10 p.m.
On Fri, Sep 12, 2014 at 05:04:05PM -0700, Christina Fu wrote:
Hi Fraser,
The CA does not need to be DSA. It can be RSA and sign a DSA cert for you.
You just need to generate a CSR with DSA key.
Thanks Christina,
Sorry, I could have more clearly stated my objective. I wish to
configure the CA to use a DSA signing key. And while on that topic,
I would also like to know how to configure it to use ECDSA to sign
requests. I imagine the process would be similar in either case.
Regards,
Fraser
For example, you can use certutil to generate a DSA CSR:
# certutil -d . -R -k dsa -s "CN=cfuTestDSA" -a -o cfuDSA.req.b64
# cat cfuDSA.req.b64
MIICFjCCAdYCAQAwFTETMBEGA1UEAxMKY2Z1VGVzdERTQTCCAbYwggErBgcqhkjO
OAQBMIIBHgKBgQCY7zqucJibRNs1hsG2wkd8tP+Z6K5E8uvDviMPZdBMBIKQp51K
yJN/Qd/4gGsLaH+v5Ki1spnDafs/5xvQD6l6SgS/UJ4iM7iJUyQQ+Wh3ra8QaLjT
aF2jw+tyO6ALc2XF0fqMwH2qUik0RAG/EiX+GArIP8FgSNutk7ZhZ9eoLQIVALWw
hItEKfYzWaE8vtJ/NaF2JwOBAoGABA6DafHNfeUMeJPWSW8ABE4ObDeqOCJH0ljs
gxKV+Zzx9Cf/15lXNcZkTMBHEjFQgjwqBwMB7zAJiYJBdnHanleLdjg3X6XNMoRF
jUwXVCtdwmu6PqB7ldcAQvcIuIOHYOHl9BpUwiDaODrRthD0yzXal5KH1qU3YrST
ShUhpRADgYQAAoGAKDm/ww3NZTM+Npdc1WnZZlebT78BcKQVUfMMHvqG+TJRrkjZ
RwhUKeNoYeRxPt0bJ8QUtRDG/ihQ+mH22bOJkhogXuf/GdGbKTRjInnXho6NEaQo
sSY3CJ/865RXvPXDBleYoF1WzAntEQtWY+9/uSGZD20uubrKUopNioNTD86gADAJ
BgcqhkjOOAQDAy8AMCwCFD59mJXc3EnJWY8N66DhCoKeg8yGAhQpYqFI14WFTk39
CXfwXSsLE5qSfw==
Paste that into "Other Certificate Enrollment" at the CA EE page, submit
Go to CA agent and approve it and I see:
<snip>
Subject Public Key Info:
Algorithm: DSA - 1.2.840.10040.4.1
<snip>
Hope this helps,
Christina
On 09/11/2014 12:22 AM, Fraser Tweedale wrote:
>Hi all,
>
>Is there some documentation somewhere about how to set up /
>configure a CA subsystem such that it can sign requests with DSA
>rather than RSA?
>
>I guess that you need to spawn an instance with a DSA signing key or
>somehow configure one after the spawning, but I'm not sure how to do
>this.
>
>Cheers,
>
>Fraser
>
>_______________________________________________
>Pki-users mailing list
>Pki-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
4067
days inactive
4071
days old
2 comments
2 participants
participants (2)
-
Christina Fu -
Fraser Tweedale