Re: [Pki-users] Questions on customizing certificate profiles

Its a possibility it could work, Andrew, but it seems like a rather convoluted way to get a straightforward task done. I fear for the issues that I might run into with that process. Am I the only one who is building a PKI with DogTag without the use of SHA1? Seems hard to comprehend given that NIST has recommended for the last 2 years that all new implementations avoid SHA1, and to not use it starting Jan 2011. Arshad Noor StrongAuth, Inc. Andrew Wnuk wrote: > Arshad, > > You could try renewal called "Renew certificate to be manually > approved by agents". Customize your certificate using agent approval > page and import new certificate to NSS-DB. > > Andrew > > On 04/06/10 10:34, Arshad Noor wrote: >> Hi, >> >> I thought I used to know the Certificate Server, but it appears >> that so much has changed that I feel like I'm starting over again. >> Hopefully, I'm the one who's making mistakes and that DogTag is >> really not different from RHCS. >> >> In trying to install DogTag on Fedora 11 (x86_64), I'm unable to >> customize the initial certificates created by the installation >> process. For example, here is what I'm doing: >> >> 1) Run "yum install pki-ca". >> 2) Run "pkicreate" with appropriate parameters. >> 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg >> files to do the following: >> >> - Add "default.params.signingAlg=SHA256withRSA" to the files; >> - Remove digitalSignature and nonRepudiation for CA cert; >> - Remove digitalSignature, nonRepudiation, dataEncipherment >> for Server cert; >> - Change default validity periods, etc. >> >> Yet, none of the certificates generated by the installation process >> have these changes in them. >> >> I've tried stopping "pki-cad", copying the modified *.cfg files to >> the appropriate "<instance>/profiles/ca" directory and restarting >> pki-cad in case the service needed to see the modified files at >> startup - but to no avail. >> >> I've tried modifying the *.profile files in the /etc/<instance> >> directory, but to no avail. >> >> How does one customize the certificates before the self-signed cert >> is generated? >> >> I'm going through the PDF documentation for RHCS 8.0 and assuming >> that the instructions there apply to DogTag too. The version number >> of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0 >> repository.

>> >> Thanks. >> >> Arshad Noor >> StrongAuth, Inc. >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users