RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1563685 - ipa-server-install can not change default CA signing algorithm with option `--ca-signing-algorithm`.
Summary: ipa-server-install can not change default CA signing algorithm with option `-...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-04 12:54 UTC by Gaurav Swami
Modified: 2021-09-09 13:36 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-10 05:50:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
IPA server install logs. (3.99 MB, text/plain)
2018-04-04 12:54 UTC, Gaurav Swami
no flags Details

Description Gaurav Swami 2018-04-04 12:54:46 UTC
Created attachment 1417260 [details]
IPA server install logs.

Description of problem:

IPA currently uses the sha256WithRSAEncryption signature algorithm by default.

ipa-server-install can not change default CA signing algorithm with option `--ca-signing-algorithm`.

Version-Release number of selected component (if applicable):

RHEL 7.5 beta 
ipa-server-4.5.4-7.el7.x86_64


How reproducible:

Install IPA server as below ,

# ipa-server-install --ca-signing-algorithm=SHA512withRSA



Actual results:

--------
[root@vm252-174 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM"
        Validity:
            Not Before: Mon Apr 03 12:05:38 2017
            Not After : Sun Mar 24 12:05:38 2019
        Subject: "CN=OCSP Subsystem,O=GSSLAB.PNQ2.REDHAT.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c1:29:89:5e:e7:a6:62:12:26:61:55:10:f8:3d:d1:86:
                    f7:9c:56:74:87:67:d3:ff:5e:8e:ec:bc:70:21:95:e1:
                    5a:d8:af:e5:71:be:85:b5:b6:58:59:cf:b5:76:d3:43:
                    23:88:45:cb:68:3c:58:25:3b:66:33:03:8f:45:df:bb:
                    7f:cc:1c:b7:b8:9d:46:7d:a1:89:7c:71:31:d7:f9:26:
                    df:bb:2c:b1:67:93:20:75:ba:df:63:1e:3e:97:2b:16:
                    4f:c5:24:c7:17:d7:b9:cd:99:57:c8:26:9e:37:c0:92:
                    f9:0b:36:c2:1d:67:9b:49:9b:54:9c:11:6c:12:ea:62:
                    36:4e:a9:12:b5:c2:8b:d1:82:3b:6f:16:90:f7:8a:1d:
                    16:77:86:99:34:a5:f4:00:66:f7:8b:ac:b6:ef:af:6a:
                    8c:dd:32:5a:37:31:f3:4a:a1:bc:bd:9e:b7:33:f0:40:
                    de:0b:e9:69:51:ee:d7:2b:2f:96:eb:20:11:18:ba:59:
                    08:c2:bd:c2:ac:76:37:d5:46:b9:e6:4f:a3:3c:ce:17:
                    9c:54:f9:2d:7a:71:43:0b:a5:0f:15:fb:3b:16:be:15:
                    6d:da:f3:ae:68:74:34:90:e4:6e:0e:2a:bf:95:45:f6:
                    80:de:0c:93:3a:32:6b:63:6d:16:e1:bf:93:88:2b:57
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                36:08:17:21:85:78:f3:9a:01:84:2c:bd:57:9d:a2:7c:
                1b:f8:2a:23

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.gsslab.pnq2.redhat.com/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
    Signature:
        e8:c7:e3:56:f4:40:11:e1:7c:88:49:2b:e3:b6:13:23:
        0e:77:ee:3a:ea:ae:8f:3c:ea:02:12:71:f6:62:70:28:
        34:b7:c1:08:11:f7:6e:2d:85:14:64:8d:31:06:16:8e:
        c0:1b:4f:0f:c4:76:90:b1:9f:65:e0:59:8e:d6:a8:7f:
        08:88:dd:33:f7:bb:c5:6c:27:15:9e:bb:87:66:eb:ae:
        03:b7:4b:3b:fc:95:ae:d1:fb:4e:81:90:78:13:58:4f:
        30:30:16:47:26:81:17:20:ee:26:58:4c:5d:b1:d1:82:
        25:2c:b6:72:74:e6:80:ac:bc:bf:25:4f:e2:e0:f2:ec:
        91:0f:5b:4e:6a:08:d9:5c:2c:b6:b9:54:b8:35:f7:8e:
        9f:c0:28:fa:d2:25:2a:c7:d1:6d:18:13:5c:94:30:6f:
        a5:ea:6c:07:95:a1:da:1b:c1:40:20:d9:08:4c:93:8b:
        51:75:72:69:32:c6:f8:40:c1:5a:5b:40:b3:5f:23:eb:
        af:a9:c8:80:f0:db:93:7e:5a:0f:ce:d6:5e:3f:53:ed:
        00:c1:b7:12:18:c3:1f:f5:bb:e3:2a:c7:11:37:00:9a:
        51:57:b0:89:39:e2:55:43:8d:c8:62:c5:83:2d:58:cd:
        10:7e:6b:50:c2:0f:d1:57:ce:7a:b9:db:38:b1:76:60
    Fingerprint (SHA-512):
        1F:4F:E1:00:E2:1A:23:1D:83:59:39:25:82:F7:4E:A9:EE:BA:2B:F3:19:99:41:1B:CC:C7:06:B2:6B:9E:35:EE
    Fingerprint (SHA1):
        45:4C:04:56:B4:04:74:AD:A7:A6:B1:89:DB:A2:16:01:0B:D1:53:20

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@vm252-174 ~]# 
----------


Expected results:

--------
[root@vm252-174 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM"
        Validity:
            Not Before: Mon Apr 03 12:05:38 2017
            Not After : Sun Mar 24 12:05:38 2019
        Subject: "CN=OCSP Subsystem,O=GSSLAB.PNQ2.REDHAT.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c1:29:89:5e:e7:a6:62:12:26:61:55:10:f8:3d:d1:86:
                    f7:9c:56:74:87:67:d3:ff:5e:8e:ec:bc:70:21:95:e1:
                    5a:d8:af:e5:71:be:85:b5:b6:58:59:cf:b5:76:d3:43:
                    23:88:45:cb:68:3c:58:25:3b:66:33:03:8f:45:df:bb:
                    7f:cc:1c:b7:b8:9d:46:7d:a1:89:7c:71:31:d7:f9:26:
                    df:bb:2c:b1:67:93:20:75:ba:df:63:1e:3e:97:2b:16:
                    4f:c5:24:c7:17:d7:b9:cd:99:57:c8:26:9e:37:c0:92:
                    f9:0b:36:c2:1d:67:9b:49:9b:54:9c:11:6c:12:ea:62:
                    36:4e:a9:12:b5:c2:8b:d1:82:3b:6f:16:90:f7:8a:1d:
                    16:77:86:99:34:a5:f4:00:66:f7:8b:ac:b6:ef:af:6a:
                    8c:dd:32:5a:37:31:f3:4a:a1:bc:bd:9e:b7:33:f0:40:
                    de:0b:e9:69:51:ee:d7:2b:2f:96:eb:20:11:18:ba:59:
                    08:c2:bd:c2:ac:76:37:d5:46:b9:e6:4f:a3:3c:ce:17:
                    9c:54:f9:2d:7a:71:43:0b:a5:0f:15:fb:3b:16:be:15:
                    6d:da:f3:ae:68:74:34:90:e4:6e:0e:2a:bf:95:45:f6:
                    80:de:0c:93:3a:32:6b:63:6d:16:e1:bf:93:88:2b:57
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                36:08:17:21:85:78:f3:9a:01:84:2c:bd:57:9d:a2:7c:
                1b:f8:2a:23

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.gsslab.pnq2.redhat.com/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
    Signature:
        e8:c7:e3:56:f4:40:11:e1:7c:88:49:2b:e3:b6:13:23:
        0e:77:ee:3a:ea:ae:8f:3c:ea:02:12:71:f6:62:70:28:
        34:b7:c1:08:11:f7:6e:2d:85:14:64:8d:31:06:16:8e:
        c0:1b:4f:0f:c4:76:90:b1:9f:65:e0:59:8e:d6:a8:7f:
        08:88:dd:33:f7:bb:c5:6c:27:15:9e:bb:87:66:eb:ae:
        03:b7:4b:3b:fc:95:ae:d1:fb:4e:81:90:78:13:58:4f:
        30:30:16:47:26:81:17:20:ee:26:58:4c:5d:b1:d1:82:
        25:2c:b6:72:74:e6:80:ac:bc:bf:25:4f:e2:e0:f2:ec:
        91:0f:5b:4e:6a:08:d9:5c:2c:b6:b9:54:b8:35:f7:8e:
        9f:c0:28:fa:d2:25:2a:c7:d1:6d:18:13:5c:94:30:6f:
        a5:ea:6c:07:95:a1:da:1b:c1:40:20:d9:08:4c:93:8b:
        51:75:72:69:32:c6:f8:40:c1:5a:5b:40:b3:5f:23:eb:
        af:a9:c8:80:f0:db:93:7e:5a:0f:ce:d6:5e:3f:53:ed:
        00:c1:b7:12:18:c3:1f:f5:bb:e3:2a:c7:11:37:00:9a:
        51:57:b0:89:39:e2:55:43:8d:c8:62:c5:83:2d:58:cd:
        10:7e:6b:50:c2:0f:d1:57:ce:7a:b9:db:38:b1:76:60
    Fingerprint (SHA-512):
        1F:4F:E1:00:E2:1A:23:1D:83:59:39:25:82:F7:4E:A9:EE:BA:2B:F3:19:99:41:1B:CC:C7:06:B2:6B:9E:35:EE
    Fingerprint (SHA1):
        45:4C:04:56:B4:04:74:AD:A7:A6:B1:89:DB:A2:16:01:0B:D1:53:20

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@vm252-174 ~]# 
----------


Additional info:

ipaserver-install.log attached.

Comment 2 Rob Crittenden 2018-04-04 13:17:45 UTC
The actual and expected certs are identical and both are using SHA-512.

Comment 3 Gaurav Swami 2018-04-04 13:46:02 UTC
Sorry for the mistake.


--------
[root@vm252-174 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM"
        Validity:
            Not Before: Mon Apr 03 12:05:38 2017
            Not After : Sun Mar 24 12:05:38 2019
        Subject: "CN=OCSP Subsystem,O=GSSLAB.PNQ2.REDHAT.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c1:29:89:5e:e7:a6:62:12:26:61:55:10:f8:3d:d1:86:
                    f7:9c:56:74:87:67:d3:ff:5e:8e:ec:bc:70:21:95:e1:
                    5a:d8:af:e5:71:be:85:b5:b6:58:59:cf:b5:76:d3:43:
                    23:88:45:cb:68:3c:58:25:3b:66:33:03:8f:45:df:bb:
                    7f:cc:1c:b7:b8:9d:46:7d:a1:89:7c:71:31:d7:f9:26:
                    df:bb:2c:b1:67:93:20:75:ba:df:63:1e:3e:97:2b:16:
                    4f:c5:24:c7:17:d7:b9:cd:99:57:c8:26:9e:37:c0:92:
                    f9:0b:36:c2:1d:67:9b:49:9b:54:9c:11:6c:12:ea:62:
                    36:4e:a9:12:b5:c2:8b:d1:82:3b:6f:16:90:f7:8a:1d:
                    16:77:86:99:34:a5:f4:00:66:f7:8b:ac:b6:ef:af:6a:
                    8c:dd:32:5a:37:31:f3:4a:a1:bc:bd:9e:b7:33:f0:40:
                    de:0b:e9:69:51:ee:d7:2b:2f:96:eb:20:11:18:ba:59:
                    08:c2:bd:c2:ac:76:37:d5:46:b9:e6:4f:a3:3c:ce:17:
                    9c:54:f9:2d:7a:71:43:0b:a5:0f:15:fb:3b:16:be:15:
                    6d:da:f3:ae:68:74:34:90:e4:6e:0e:2a:bf:95:45:f6:
                    80:de:0c:93:3a:32:6b:63:6d:16:e1:bf:93:88:2b:57
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                36:08:17:21:85:78:f3:9a:01:84:2c:bd:57:9d:a2:7c:
                1b:f8:2a:23

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.gsslab.pnq2.redhat.com/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        e8:c7:e3:56:f4:40:11:e1:7c:88:49:2b:e3:b6:13:23:
        0e:77:ee:3a:ea:ae:8f:3c:ea:02:12:71:f6:62:70:28:
        34:b7:c1:08:11:f7:6e:2d:85:14:64:8d:31:06:16:8e:
        c0:1b:4f:0f:c4:76:90:b1:9f:65:e0:59:8e:d6:a8:7f:
        08:88:dd:33:f7:bb:c5:6c:27:15:9e:bb:87:66:eb:ae:
        03:b7:4b:3b:fc:95:ae:d1:fb:4e:81:90:78:13:58:4f:
        30:30:16:47:26:81:17:20:ee:26:58:4c:5d:b1:d1:82:
        25:2c:b6:72:74:e6:80:ac:bc:bf:25:4f:e2:e0:f2:ec:
        91:0f:5b:4e:6a:08:d9:5c:2c:b6:b9:54:b8:35:f7:8e:
        9f:c0:28:fa:d2:25:2a:c7:d1:6d:18:13:5c:94:30:6f:
        a5:ea:6c:07:95:a1:da:1b:c1:40:20:d9:08:4c:93:8b:
        51:75:72:69:32:c6:f8:40:c1:5a:5b:40:b3:5f:23:eb:
        af:a9:c8:80:f0:db:93:7e:5a:0f:ce:d6:5e:3f:53:ed:
        00:c1:b7:12:18:c3:1f:f5:bb:e3:2a:c7:11:37:00:9a:
        51:57:b0:89:39:e2:55:43:8d:c8:62:c5:83:2d:58:cd:
        10:7e:6b:50:c2:0f:d1:57:ce:7a:b9:db:38:b1:76:60
    Fingerprint (SHA-256):
        1F:4F:E1:00:E2:1A:23:1D:83:59:39:25:82:F7:4E:A9:EE:BA:2B:F3:19:99:41:1B:CC:C7:06:B2:6B:9E:35:EE
    Fingerprint (SHA1):
        45:4C:04:56:B4:04:74:AD:A7:A6:B1:89:DB:A2:16:01:0B:D1:53:20

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@vm252-174 ~]# 

----------


Expected results:

--------
[root@vm252-174 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM"
        Validity:
            Not Before: Mon Apr 03 12:05:38 2017
            Not After : Sun Mar 24 12:05:38 2019
        Subject: "CN=OCSP Subsystem,O=GSSLAB.PNQ2.REDHAT.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c1:29:89:5e:e7:a6:62:12:26:61:55:10:f8:3d:d1:86:
                    f7:9c:56:74:87:67:d3:ff:5e:8e:ec:bc:70:21:95:e1:
                    5a:d8:af:e5:71:be:85:b5:b6:58:59:cf:b5:76:d3:43:
                    23:88:45:cb:68:3c:58:25:3b:66:33:03:8f:45:df:bb:
                    7f:cc:1c:b7:b8:9d:46:7d:a1:89:7c:71:31:d7:f9:26:
                    df:bb:2c:b1:67:93:20:75:ba:df:63:1e:3e:97:2b:16:
                    4f:c5:24:c7:17:d7:b9:cd:99:57:c8:26:9e:37:c0:92:
                    f9:0b:36:c2:1d:67:9b:49:9b:54:9c:11:6c:12:ea:62:
                    36:4e:a9:12:b5:c2:8b:d1:82:3b:6f:16:90:f7:8a:1d:
                    16:77:86:99:34:a5:f4:00:66:f7:8b:ac:b6:ef:af:6a:
                    8c:dd:32:5a:37:31:f3:4a:a1:bc:bd:9e:b7:33:f0:40:
                    de:0b:e9:69:51:ee:d7:2b:2f:96:eb:20:11:18:ba:59:
                    08:c2:bd:c2:ac:76:37:d5:46:b9:e6:4f:a3:3c:ce:17:
                    9c:54:f9:2d:7a:71:43:0b:a5:0f:15:fb:3b:16:be:15:
                    6d:da:f3:ae:68:74:34:90:e4:6e:0e:2a:bf:95:45:f6:
                    80:de:0c:93:3a:32:6b:63:6d:16:e1:bf:93:88:2b:57
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                36:08:17:21:85:78:f3:9a:01:84:2c:bd:57:9d:a2:7c:
                1b:f8:2a:23

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.gsslab.pnq2.redhat.com/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
    Signature:
        e8:c7:e3:56:f4:40:11:e1:7c:88:49:2b:e3:b6:13:23:
        0e:77:ee:3a:ea:ae:8f:3c:ea:02:12:71:f6:62:70:28:
        34:b7:c1:08:11:f7:6e:2d:85:14:64:8d:31:06:16:8e:
        c0:1b:4f:0f:c4:76:90:b1:9f:65:e0:59:8e:d6:a8:7f:
        08:88:dd:33:f7:bb:c5:6c:27:15:9e:bb:87:66:eb:ae:
        03:b7:4b:3b:fc:95:ae:d1:fb:4e:81:90:78:13:58:4f:
        30:30:16:47:26:81:17:20:ee:26:58:4c:5d:b1:d1:82:
        25:2c:b6:72:74:e6:80:ac:bc:bf:25:4f:e2:e0:f2:ec:
        91:0f:5b:4e:6a:08:d9:5c:2c:b6:b9:54:b8:35:f7:8e:
        9f:c0:28:fa:d2:25:2a:c7:d1:6d:18:13:5c:94:30:6f:
        a5:ea:6c:07:95:a1:da:1b:c1:40:20:d9:08:4c:93:8b:
        51:75:72:69:32:c6:f8:40:c1:5a:5b:40:b3:5f:23:eb:
        af:a9:c8:80:f0:db:93:7e:5a:0f:ce:d6:5e:3f:53:ed:
        00:c1:b7:12:18:c3:1f:f5:bb:e3:2a:c7:11:37:00:9a:
        51:57:b0:89:39:e2:55:43:8d:c8:62:c5:83:2d:58:cd:
        10:7e:6b:50:c2:0f:d1:57:ce:7a:b9:db:38:b1:76:60
    Fingerprint (SHA-512):
        1F:4F:E1:00:E2:1A:23:1D:83:59:39:25:82:F7:4E:A9:EE:BA:2B:F3:19:99:41:1B:CC:C7:06:B2:6B:9E:35:EE
    Fingerprint (SHA1):
        45:4C:04:56:B4:04:74:AD:A7:A6:B1:89:DB:A2:16:01:0B:D1:53:20

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@vm252-174 ~]# 
----------

Comment 5 Rob Crittenden 2018-04-18 17:24:51 UTC
The CA in the attached log shows it is signed with sha512WithRSAEncryption.

I think there is a misunderstanding. The option only affects the signing algorithm used for the CA, NOT for the certificates issued by the CA.

A separate option in pki-spawn is needed for that, pki_ca_signing_signing_algorithm, which IPA does not supply and the default is sha256.

Comment 8 Alexander Bokovoy 2018-07-09 13:41:30 UTC
These settings can be changed in /etc/pki/default.cfg before deploying an IPA CA. There is strictly no need to change IPA for achieving it.

Comment 9 Alexander Bokovoy 2018-07-09 13:51:59 UTC
This is documented in pki_default.cfg(5) man page.


Note You need to log in before you can comment on or make changes to this bug.