Changing The Hashing Algorithm Used For Subsystem Keys - Red Hat CERTIFICATE SYSTEM 8 Install Manual

Hide thumbs Also See for CERTIFICATE SYSTEM 8:

Manual (86 pages)

Deployment manual (114 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

page of 132

/ 132
Contents
Table of Contents
Bookmarks

Table of Contents

chown -R agent-pki:agent-pki /home/agent-pki

h. In the terminal with the /home/agent-pki directory open, export the environment variable

that allows ECC support.

export NSS_USE_DECODED_CKA_EC_POINT=1

Open Firefox again. The Certicom module should be available and you should be able to log

into it successfully.

Then, import the agent certificate and root CA certificate or certificate chain into Firefox so that

the user profile can access the agent services pages.

19. The NSS_USE_DECODED_CKA_EC_POINT environment variable also needs to be set to access

the subsystem Java console with an ECC certificate. This can be set in the .bashrc file for the

user who uses the console. For example:

vim /home/jsmith/.bashrc

# User specific aliases and functions

NSS_USE_DECODED_CKA_EC_POINT=1

export NSS_USE_DECODED_CKA_EC_POINT

4.3. Changing the Hashing Algorithm Used for Subsystem

Keys

When a CA is installed, along with determining the key type and size, the hashing algorithm for the

key pair is set. However, for other subsystems, the hashing algorithm is not configurable, so they use

whatever the default is for the CA which issues their certificates.

Instead of using the CA's hashing algorithm, it is possible to edit the profiles used to generate the

subsystem certificates; then, the configuration wizard will use whatever hashing algorithm is in the

profile instead of the one used by the CA.

NOTE

This is true for subordinate CAs as well as other subsystems. While some of the

certificates for a sub CA are generated locally — and therefore can take a user-defined

hashing algorithm for their keys in the configuration wizard — other certificates for the sub

CA (like its signing certificate) are generated by another CA and default to that CA's key

hashing algorithm.

To assign the hashing algorithm to the certificate, add this line to the profile in the CA's profile

directory, such as /var/lib/instance_name/profiles/ca:

default.params.signingAlg=hashing_alg