Re: [Pki-users] Questions on customizing certificate profiles
Its a possibility it could work, Andrew, but it seems like a
rather convoluted way to get a straightforward task done. I
fear for the issues that I might run into with that process.
Am I the only one who is building a PKI with DogTag without
the use of SHA1? Seems hard to comprehend given that NIST has
recommended for the last 2 years that all new implementations
avoid SHA1, and to not use it starting Jan 2011.
Arshad Noor
StrongAuth, Inc.
Andrew Wnuk wrote:
Arshad,
You could try renewal called "Renew certificate to be manually approved
by agents". Customize your certificate using agent approval page and
import new certificate to NSS-DB.
Andrew
On 04/06/10 10:34, Arshad Noor wrote:
> Hi,
>
> I thought I used to know the Certificate Server, but it appears
> that so much has changed that I feel like I'm starting over again.
> Hopefully, I'm the one who's making mistakes and that DogTag is
> really not different from RHCS.
>
> In trying to install DogTag on Fedora 11 (x86_64), I'm unable to
> customize the initial certificates created by the installation
> process. For example, here is what I'm doing:
>
> 1) Run "yum install pki-ca".
> 2) Run "pkicreate" with appropriate parameters.
> 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg
> files to do the following:
>
> - Add "default.params.signingAlg=SHA256withRSA" to the files;
> - Remove digitalSignature and nonRepudiation for CA cert;
> - Remove digitalSignature, nonRepudiation, dataEncipherment
> for Server cert;
> - Change default validity periods, etc.
>
> Yet, none of the certificates generated by the installation process
> have these changes in them.
>
> I've tried stopping "pki-cad", copying the modified *.cfg files to
> the appropriate "<instance>/profiles/ca" directory and restarting
> pki-cad in case the service needed to see the modified files at
> startup - but to no avail.
>
> I've tried modifying the *.profile files in the /etc/<instance>
> directory, but to no avail.
>
> How does one customize the certificates before the self-signed cert
> is generated?
>
> I'm going through the PDF documentation for RHCS 8.0 and assuming
> that the instructions there apply to DogTag too. The version number
> of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0
> repository.
>
> Thanks.
>
> Arshad Noor
> StrongAuth, Inc.
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users