Hi, I thought I used to know the Certificate Server, but it appears that so much has changed that I feel like I'm starting over again. Hopefully, I'm the one who's making mistakes and that DogTag is really not different from RHCS. In trying to install DogTag on Fedora 11 (x86_64), I'm unable to customize the initial certificates created by the installation process. For example, here is what I'm doing: 1) Run "yum install pki-ca". 2) Run "pkicreate" with appropriate parameters. 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg files to do the following: - Add "default.params.signingAlg=SHA256withRSA" to the files; - Remove digitalSignature and nonRepudiation for CA cert; - Remove digitalSignature, nonRepudiation, dataEncipherment for Server cert; - Change default validity periods, etc. Yet, none of the certificates generated by the installation process have these changes in them. I've tried stopping "pki-cad", copying the modified *.cfg files to the appropriate "<instance>/profiles/ca" directory and restarting pki-cad in case the service needed to see the modified files at startup - but to no avail. I've tried modifying the *.profile files in the /etc/<instance> directory, but to no avail. How does one customize the certificates before the self-signed cert is generated? I'm going through the PDF documentation for RHCS 8.0 and assuming that the instructions there apply to DogTag too. The version number of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0 repository. Thanks. Arshad Noor StrongAuth, Inc. _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

For this first CA, what about changing the pre-op settings in the main config file, like: preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA --> preop.cert.signing.defaultSigningAlgorithm=SHA256withRSA ? M. On 04/06/2010 10:40 AM, Arshad Noor wrote: > One more bit of information; in addition to adding the > "default.params.signingAlg" parameter, I also modified the > following parameters in caCACert.cfg, but I still keep > getting SHA1withRSA; none of my changes are picked up in > the self-signed cert: > > policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl > policyset.caCertSet.9.constraint.name=No Constraint > policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC > > policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl > policyset.caCertSet.9.default.name=Signing Alg > policyset.caCertSet.9.default.params.signingAlg=SHA256withRSA > > Arshad Noor > StrongAuth, Inc. > > Arshad Noor wrote: >> Hi, >> >> I thought I used to know the Certificate Server, but it appears >> that so much has changed that I feel like I'm starting over again. >> Hopefully, I'm the one who's making mistakes and that DogTag is >> really not different from RHCS. >> >> In trying to install DogTag on Fedora 11 (x86_64), I'm unable to >> customize the initial certificates created by the installation >> process. For example, here is what I'm doing: >> >> 1) Run "yum install pki-ca". >> 2) Run "pkicreate" with appropriate parameters. >> 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg >> files to do the following: >> >> - Add "default.params.signingAlg=SHA256withRSA" to the files; >> - Remove digitalSignature and nonRepudiation for CA cert; >> - Remove digitalSignature, nonRepudiation, dataEncipherment >> for Server cert; >> - Change default validity periods, etc. >> >> Yet, none of the certificates generated by the installation process >> have these changes in them. >> >> I've tried stopping "pki-cad", copying the modified *.cfg files to >> the appropriate "<instance>/profiles/ca" directory and restarting >> pki-cad in case the service needed to see the modified files at >> startup - but to no avail. >> >> I've tried modifying the *.profile files in the /etc/<instance> >> directory, but to no avail. >> >> How does one customize the certificates before the self-signed cert >> is generated? >> >> I'm going through the PDF documentation for RHCS 8.0 and assuming >> that the instructions there apply to DogTag too. The version number >> of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0 >> repository. >> >> Thanks. >> >> Arshad Noor >> StrongAuth, Inc. >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users

Arshad, You could try renewal called "Renew certificate to be manually approved by agents". Customize your certificate using agent approval page and import new certificate to NSS-DB. Andrew On 04/06/10 10:34, Arshad Noor wrote: > Hi, > > I thought I used to know the Certificate Server, but it appears > that so much has changed that I feel like I'm starting over again. > Hopefully, I'm the one who's making mistakes and that DogTag is > really not different from RHCS. > > In trying to install DogTag on Fedora 11 (x86_64), I'm unable to > customize the initial certificates created by the installation > process. For example, here is what I'm doing: > > 1) Run "yum install pki-ca". > 2) Run "pkicreate" with appropriate parameters. > 3) Modify the caCACert.cfg, caServerCert.cfg and all caInternal*.cfg > files to do the following: > > - Add "default.params.signingAlg=SHA256withRSA" to the files; > - Remove digitalSignature and nonRepudiation for CA cert; > - Remove digitalSignature, nonRepudiation, dataEncipherment > for Server cert; > - Change default validity periods, etc. > > Yet, none of the certificates generated by the installation process > have these changes in them. > > I've tried stopping "pki-cad", copying the modified *.cfg files to > the appropriate "<instance>/profiles/ca" directory and restarting > pki-cad in case the service needed to see the modified files at > startup - but to no avail. > > I've tried modifying the *.profile files in the /etc/<instance> > directory, but to no avail. > > How does one customize the certificates before the self-signed cert > is generated? > > I'm going through the PDF documentation for RHCS 8.0 and assuming > that the instructions there apply to DogTag too. The version number > of pki-ca I'm picking up is 1.3.2 even though I've specified the 1.2.0 > repository. > > Thanks. > > Arshad Noor > StrongAuth, Inc. > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users

the installation wizard should provide 'options' under the advanced section for you to be able to select the alg to use. Have you tried doing Step (8) from here ? http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Configuri...