Re: [Pki-users] Questions on customizing certificate profiles

Hi Kevin, thanks for making the differences plain. For me RHBA-2009-1602 is more a new feature, than a bug fix, but okay. ;-) It seems that pkisilent does not offer an option to change the hash to SHA-2, and as I wrote earlier, IMHO it is volitional hard-coded. Most of the rest of dogtag has code to work with SHA-2. I will give the "renewal method" a try. Best regards, Oli Am Donnerstag, 8. April 2010 20:51:14 schrieb Kevin Unthank: > Hi Arshad, > > Obviously, there are differences between RHCS8 and the latest release > of Dogtag. Generally, new feature development takes place in dogtag > and some of those features find there way back into RHCS8. Bug fixing > often occurs first in RHCS8 and those fixes are ported to dogtag. > > PKI with only SHA-2 hashes is a fix that was made in the RHCS8 > code tree and released in both source binary form in errata > RHBA-2009-1602. That fix will make it into dogtag builds but I can't > commit to a specific release or date when this will happen. > > Until then it should be possible to work around the problem by using > pkisilent or the renewal method suggested by Andrew. > > Cheers, > Kev > > On 04/08/2010 10:55 AM, Arshad Noor wrote: > > Can someone from the DogTag Engineering team confirm that a PKI > > with only SHA-2 hashes *cannot* be built with the current version > > of the product? > > > > I find this hard to believe given that the RHCS documentation seems > > to indicate that it is possible to do so, and given that the > > underlying code already has SHA-2 support; nevertheless, can someone > > confirm Oliver's finding? Thanks. > > > > Arshad Noor > > StrongAuth, Inc. > > > > P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes > > can be configured at the time the self-signed cert is created, does > > that imply that the commercial RHCS is technologically different from > > the open-source DogTag? And, that it isn't just a question of RedHat > > support? > > > > Oliver Burtchen wrote: > >> Hi @ all, > >> > >> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by > >> editing the config files. No luck! > >> > >> I found, this is hard-coded in the sources, for example in: > >> > >> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java > >> - > >> pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java > >> > >> Just look for "SHA1withRSA" in the files, I don't think this are just > >> fallbacks. > >> Best regards, > >> Oli > >> > >> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan: > >>> On 04/06/2010 05:08 PM, Arshad Noor wrote: > >>>> The only option that is visible under Advanced is the key-size > >>>> for each of the certificate-types. The hash algorithm does not > >>>> show up at all. > >>>> > >>>> Even the default, as mentioned by Step 8, is not the default as > >>>> the last 10-12 installs have shown: > >>>> > >>>> * SHA256withRSA (the default) > >>>> > >>>> So, the question is: is the current build of DogTag in the pki > >>>> repository identical to RHCS 8.0 or is it a different version? > >>> > >>> It might very well be ... we can look at the svn commits > >>> to be really sure... > >>> > >>>> Arshad Noor > >>>> StrongAuth, Inc. > >>>> > >>>> Chandrasekar Kannan wrote: > >>>>> the installation wizard should provide 'options' under the advanced > >>>>> section for you to be able to select the alg to use. Have you tried > >>>>> doing Step (8) from here ? > >>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Con > >>>>>fi gur > >>>>> > >>>>> ing_a_CA.html > >>> > >>> _______________________________________________ > >>> Pki-users mailing list > >>> Pki-users(a)redhat.com > >>> https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users(a)redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users