pki-bot
commented
3 years ago Comment from saipandi at 2014-06-02 18:19:56
This is the certificate for the CA where the algorithm used is still SHA256withRSA even when the input provided is SHA512withRSA and so on.
[root@ipaqa64vma alias]# certutil -L -d -n "caSigningCert cert-pki-saili CA" certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. [root@ipaqa64vma alias]# certutil -L -d . -n "caSigningCert cert-pki-saili CA" Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: PKCS 1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,O="idm.lab.bos.redhat.com #(leavi ng the hostname)"" Validity: Not Before: Mon Jun 02 15:23:14 2014 Not After : Fri Jun 02 15:23:14 2034 Subject: "CN=CA Signing Certificate,O="idm.lab.bos.redhat.com #(leav ing the hostname)"" Subject Public Key Info: Public Key Algorithm: PKCS 1 RSA Encryption RSA Public Key: Modulus: c4:2e:19:ae:88:78:63:d3:40:83:ee:30:c6:6d:16:a7: 7e:93:6c:16:a1:2b:98:d2:f7:aa:8c:6d:ac:e0:a2:17: b3:fb:94:aa:54:7d:68:04:e3:f6:6b:f5:64:da:15:d9: 78:39:f5:22:2b:07:64:09:e0:af:4f:89:2e:9c:9c:50: 85:f2:9d:73:1c:d5:ca:57:56:69:ac:a4:f5:e6:39:b0: b0:81:70:20:ff:bc:5a:fd:b8:55:36:5d:90:bd:12:d0: b7:9b:cf:af:80:2d:52:e3:36:1b:f0:4c:8d:5b:9d:8b: 44:80:9d:a3:83:b5:8a:b2:05:bb:8d:5f:77:00:03:8a: a5:77:dc:4b:f2:73:29:ee:3e:a6:d1:ab:ee:87:e4:34: 18:d2:df:e1:9f:3b:55:1c:3d:5f:6e:ac:db:0b:ae:51: b2:d5:d1:d9:62:4b:97:12:3a:89:95:db:45:38:2d:ad: 13:35:b0:e5:9a:af:29:83:10:52:70:e9:f1:5e:ba:7e: 91:09:da:d8:d7:f3:41:47:6c:15:a3:4f:0c:58:6e:97: d3:56:d1:1a:93:85:b9:47:ce:f4:1d:4a:8c:20:b1:a9: 7b:2d:93:f7:84:63:f9:f7:31:04:65:2f:84:43:28:4b: 21:05:2b:61:68:2f:6f:35:de:c6:44:65:aa:f0:a5:23 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 37:eb:b0:a8:b6:96:f6:92:87:9b:71:7b:5f:87:bb:d0: f2:8a:f9:49
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Certificate Signing
CRL Signing
Name: Certificate Subject Key ID
Data:
37:eb:b0:a8:b6:96:f6:92:87:9b:71:7b:5f:87:bb:d0:
f2:8a:f9:49
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ipaqa64vma.idm.lab.bos.redhat.com:8080/ca/ocsp"
Signature Algorithm: PKCS 1 SHA-256 With RSA Encryption
Signature:
a9:57:ee:5d:f5:6c:22:94:9a:ad:89:1c:9a:7c:8e:fc:
9f:e4:d2:10:a9:2b:d6:d6:ec:36:f9:96:9f:92:ed:74:
f8:46:7e:4d:c4:2e:a0:76:99:76:db:9f:2e:a0:64:8a:
22:97:b8:bf:e8:87:9b:fb:1d:8e:4e:35:32:40:d5:71:
ca:fc:cd:33:24:13:13:2c:e2:8f:8c:db:92:8f:95:52:
05:29:4a:67:82:60:e8:ef:0c:81:60:9d:d6:37:1f:f4:
54:18:d3:78:9a:63:8f:75:24:d0:41:40:97:22:88:ac:
59:d9:fa:d9:18:65:17:82:61:92:66:e0:a8:f8:c0:fe:
85:2b:4d:4c:25:32:9f:6a:e0:98:fa:14:3e:02:97:5d:
01:33:6c:c2:65:f3:94:54:17:d6:0d:34:e3:be:71:3d:
c7:d1:c9:db:b1:82:9c:ce:34:c9:2d:68:86:b7:58:f1:
57:33:7b:82:81:d7:2d:fe:78:34:4f:5b:b3:69:84:60:
aa:af:61:5e:95:26:a1:c3:df:a8:bd:6b:f2:6e:6c:9c:
99:1e:7f:ff:a8:91:67:ba:2d:f2:4e:b5:f3:74:a5:e1:
c5:6b:0f:7f:e3:82:5b:59:81:b3:fc:9e:50:68:76:e7:
59:ce:b5:e9:5e:a3:8c:4c:85:69:20:0d:e4:57:42:b6
Fingerprint (MD5):
36:BD:70:2F:F1:B4:8C:4D:1B:3E:9D:4D:E6:21:52:E2
Fingerprint (SHA1):
24:4B:A4:D4:FE:98:3B:F4:16:39:C8:B7:43:AA:52:64:2E:35:4A:F0
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
This issue was migrated from Pagure Issue #1026. Originally filed by saipandi on 2014-06-02 18:18:53:
The parameters for CA signing certificate for example, the signing algorithm used, the nickname for the certificate are not changed but taken as default when given as inputs in the config file for pkispawn.