Reply To: Need more control on the Local CA parameters

Home Page Forums Network Management Request a new feature Need more control on the Local CA parameters Reply To: Need more control on the Local CA parameters

#53743

garfield
Participant

Hello PatrickB,
i have tried out to implement the message digest functionality into ZS 3.4.
But i have no chance to do this, because the glue for tags is hardcoded into /usr/local/apache2/cgi-bin/kerbynet program. 🙁
At this moment use all certificate generation the sha256 message digest algorithm, because it’s my hardcoded fallback.
Any digest selection into gui hasn’t effect on certificate generation.
I have changed this files:

    /root/kerbynet.cgi/template/x509_form
    /root/kerbynet.cgi/template/x509_form1
    /root/kerbynet.cgi/template/x509_setup
    /root/kerbynet.cgi/template/x509_user
    /root/kerbynet.cgi/scripts/x509_createAdminCert
    /root/kerbynet.cgi/scripts/x509_createDefaultCA
    /root/kerbynet.cgi/scripts/x509_createDefaultCert
    /etc/ssl/openssl.cnf

New defines into templates are: [DF]MD[md[2|5]|mdc2|rmd160|sha|sha[1|224|256|384|512]]
for example:

...
>sha256
...

analog to tags [DF]Key[512|1024|2048].
The new tag names are “digest” and “DefaultDigest” for example:


...

<option ...

...

.
Into scripts i have use the variable DIGEST and read or set the default message digest value below: /var/register/system/ssl/ca/digest.
@fulvio:
IMHO you must implement

    value transfer from templates into ../register/…/digest
    read out the digest from root ca and write into ../register/…/digest after import from external source
    read out value from../register/…/digest and marked appropriate tag as selected

Let me know, if you interested in.
PS: As PatrickB already remarked, can you say me why do you use -sha512 into host certificate generations (see at file x509_createDefaultCert) ?

Best regards