Open pki-bot opened 3 years ago
Comment from saipandi at 2014-06-02 18:19:56
This is the certificate for the CA where the algorithm used is still SHA256withRSA even when the input provided is SHA512withRSA and so on.
[root@ipaqa64vma alias]# certutil -L -d -n "caSigningCert cert-pki-saili CA" certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. [root@ipaqa64vma alias]# certutil -L -d . -n "caSigningCert cert-pki-saili CA" Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: PKCS 1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,O="idm.lab.bos.redhat.com #(leavi ng the hostname)"" Validity: Not Before: Mon Jun 02 15:23:14 2014 Not After : Fri Jun 02 15:23:14 2034 Subject: "CN=CA Signing Certificate,O="idm.lab.bos.redhat.com #(leav ing the hostname)"" Subject Public Key Info: Public Key Algorithm: PKCS 1 RSA Encryption RSA Public Key: Modulus: c4:2e:19:ae:88:78:63:d3:40:83:ee:30:c6:6d:16:a7: 7e:93:6c:16:a1:2b:98:d2:f7:aa:8c:6d:ac:e0:a2:17: b3:fb:94:aa:54:7d:68:04:e3:f6:6b:f5:64:da:15:d9: 78:39:f5:22:2b:07:64:09:e0:af:4f:89:2e:9c:9c:50: 85:f2:9d:73:1c:d5:ca:57:56:69:ac:a4:f5:e6:39:b0: b0:81:70:20:ff:bc:5a:fd:b8:55:36:5d:90:bd:12:d0: b7:9b:cf:af:80:2d:52:e3:36:1b:f0:4c:8d:5b:9d:8b: 44:80:9d:a3:83:b5:8a:b2:05:bb:8d:5f:77:00:03:8a: a5:77:dc:4b:f2:73:29:ee:3e:a6:d1:ab:ee:87:e4:34: 18:d2:df:e1:9f:3b:55:1c:3d:5f:6e:ac:db:0b:ae:51: b2:d5:d1:d9:62:4b:97:12:3a:89:95:db:45:38:2d:ad: 13:35:b0:e5:9a:af:29:83:10:52:70:e9:f1:5e:ba:7e: 91:09:da:d8:d7:f3:41:47:6c:15:a3:4f:0c:58:6e:97: d3:56:d1:1a:93:85:b9:47:ce:f4:1d:4a:8c:20:b1:a9: 7b:2d:93:f7:84:63:f9:f7:31:04:65:2f:84:43:28:4b: 21:05:2b:61:68:2f:6f:35:de:c6:44:65:aa:f0:a5:23 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 37:eb:b0:a8:b6:96:f6:92:87:9b:71:7b:5f:87:bb:d0: f2:8a:f9:49
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Certificate Signing
CRL Signing
Name: Certificate Subject Key ID
Data:
37:eb:b0:a8:b6:96:f6:92:87:9b:71:7b:5f:87:bb:d0:
f2:8a:f9:49
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ipaqa64vma.idm.lab.bos.redhat.com:8080/ca/ocsp"
Signature Algorithm: PKCS 1 SHA-256 With RSA Encryption
Signature:
a9:57:ee:5d:f5:6c:22:94:9a:ad:89:1c:9a:7c:8e:fc:
9f:e4:d2:10:a9:2b:d6:d6:ec:36:f9:96:9f:92:ed:74:
f8:46:7e:4d:c4:2e:a0:76:99:76:db:9f:2e:a0:64:8a:
22:97:b8:bf:e8:87:9b:fb:1d:8e:4e:35:32:40:d5:71:
ca:fc:cd:33:24:13:13:2c:e2:8f:8c:db:92:8f:95:52:
05:29:4a:67:82:60:e8:ef:0c:81:60:9d:d6:37:1f:f4:
54:18:d3:78:9a:63:8f:75:24:d0:41:40:97:22:88:ac:
59:d9:fa:d9:18:65:17:82:61:92:66:e0:a8:f8:c0:fe:
85:2b:4d:4c:25:32:9f:6a:e0:98:fa:14:3e:02:97:5d:
01:33:6c:c2:65:f3:94:54:17:d6:0d:34:e3:be:71:3d:
c7:d1:c9:db:b1:82:9c:ce:34:c9:2d:68:86:b7:58:f1:
57:33:7b:82:81:d7:2d:fe:78:34:4f:5b:b3:69:84:60:
aa:af:61:5e:95:26:a1:c3:df:a8:bd:6b:f2:6e:6c:9c:
99:1e:7f:ff:a8:91:67:ba:2d:f2:4e:b5:f3:74:a5:e1:
c5:6b:0f:7f:e3:82:5b:59:81:b3:fc:9e:50:68:76:e7:
59:ce:b5:e9:5e:a3:8c:4c:85:69:20:0d:e4:57:42:b6
Fingerprint (MD5):
36:BD:70:2F:F1:B4:8C:4D:1B:3E:9D:4D:E6:21:52:E2
Fingerprint (SHA1):
24:4B:A4:D4:FE:98:3B:F4:16:39:C8:B7:43:AA:52:64:2E:35:4A:F0
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
Comment from saipandi at 2014-06-02 18:21:10
The parameter config file for pkispawn for the signing cert section is:
[CA]
pki_signing_key_type=RSA pki_RSA_keysize=2048 pki_signing_key_algorithm=SHA512withRSA ## not used pki_signing_signing_algorithm=SHA512withRSA ##not used pki_signing_token=/tmp/saili pki_signing_nickname=cacert ##not used pki_signing_subject_dn=CN=PKI Signing,O=idm.lab.bos.redhat.com ##not used
Comment from saipandi at 2014-06-03 16:20:28
After changing the config file parameter names from pki_signing_key_algorithm to pki_ca_signing_keyalgorithm for example for all the parameters, the parametrs are accepted and the default parameters are overridden. So, for subsystems the parameters should be pki
In man page the parameter pki_
for the parameter key type for the certificates the upper case RSA is not taken as the input and error is produced, only lower case rsa is accepted.
Comment from saipandi at 2017-02-27 14:12:01
Metadata Update from @saipandi:
This issue was migrated from Pagure Issue #1026. Originally filed by saipandi on 2014-06-02 18:18:53:
The parameters for CA signing certificate for example, the signing algorithm used, the nickname for the certificate are not changed but taken as default when given as inputs in the config file for pkispawn.