Re: [Pki-users] Questions on customizing certificate profiles

One more bit of information; in addition to adding the "default.params.signingAlg" parameter, I also modified the following parameters in caCACert.cfg, but I still keep getting SHA1withRSA; none of my changes are picked up in the self-signed cert: policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.caCertSet.9.constraint.name=No Constraint policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl policyset.caCertSet.9.default.name=Signing Alg policyset.caCertSet.9.default.params.signingAlg=SHA256withRSA Arshad Noor StrongAuth, Inc. Arshad Noor wrote: > Hi, > > I thought I used to know the Certificate Server, but it appears > that so much has changed that I feel like I'm starting over again. > Hopefully, I'm the one who's making mistakes and that DogTag is > really not different from RHCS. > > In trying to install DogTag on Fedora 11 (x86_64), I'm unable to > customize the initial certificates created by the installation > process. For example, here is what I'm doing: > > 1) Run "yum install pki-ca". > 2) Run "pkicreate" with appropriate parameters. > 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg > files to do the following: > > - Add "default.params.signingAlg=SHA256withRSA" to the files; > - Remove digitalSignature and nonRepudiation for CA cert; > - Remove digitalSignature, nonRepudiation, dataEncipherment > for Server cert; > - Change default validity periods, etc. > > Yet, none of the certificates generated by the installation process > have these changes in them. > > I've tried stopping "pki-cad", copying the modified *.cfg files to > the appropriate "<instance>/profiles/ca" directory and restarting > pki-cad in case the service needed to see the modified files at > startup - but to no avail. > > I've tried modifying the *.profile files in the /etc/<instance> > directory, but to no avail. > > How does one customize the certificates before the self-signed cert > is generated? > > I'm going through the PDF documentation for RHCS 8.0 and assuming > that the instructions there apply to DogTag too. The version number > of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0 > repository. > > Thanks. > > Arshad Noor > StrongAuth, Inc. > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users