diff options
| author | Matthew Harmsen <mharmsen@redhat.com> | 2015-07-10 18:06:39 -0600 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-07-10 18:08:58 -0600 |
| commit | baa3a78df1be63056b5e65123d1e3e2097fcb61e (patch) | |
| tree | 444ac0f5d40d8d739191b92a63a5e582295983fa /base | |
| parent | 597bf54f3e999867a3e42686b3063b169b52018c (diff) | |
| download | pki-baa3a78df1be63056b5e65123d1e3e2097fcb61e.tar.gz pki-baa3a78df1be63056b5e65123d1e3e2097fcb61e.tar.xz pki-baa3a78df1be63056b5e65123d1e3e2097fcb61e.zip | |
pkispawn man page ECC example
- PKI TRAC Ticket #1460 - Add 'pkispawn' man page example for ECC
Diffstat (limited to 'base')
| -rw-r--r-- | base/server/man/man8/pkispawn.8 | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 index ef1857d6f..cd8a91ffd 100644 --- a/base/server/man/man8/pkispawn.8 +++ b/base/server/man/man8/pkispawn.8 @@ -208,6 +208,40 @@ The instance name (defined by pki_instance_name) is pki-tomcat, and it is locate A PKCS #12 file containing the administrator certificate is created in \fI$HOME/.dogtag/pki-tomcat\fP. This PKCS #12 file uses the password designated by pki_client_pkcs12_password in the configuration file. .PP To access the agent pages, first import the CA certificate by accessing the CA End Entity Pages and clicking on the Retrieval Tab. Be sure to trust the CA certificate. Then, import the administrator certificate in the PKCS #12 file. +.SS CA using ECC default configuration +\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR +.PP +where \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_ssl_server_key_algorithm=SHA256withEC +pki_ssl_server_key_size=nistp256 +pki_ssl_server_key_type=ecc +pki_subsystem_key_algorithm=SHA256withEC +pki_subsystem_key_size=nistp256 +pki_subsystem_key_type=ecc + +[CA] +pki_ca_signing_key_algorithm=SHA256withEC +pki_ca_signing_key_size=nistp256 +pki_ca_signing_key_type=ecc +pki_ca_signing_signing_algorithm=SHA256withEC +pki_ocsp_signing_key_algorithm=SHA256withEC +pki_ocsp_signing_key_size=nistp256 +pki_ocsp_signing_key_type=ecc +pki_ocsp_signing_signing_algorithm=SHA256withEC +.fi +.PP +In order to utilize ECC, the SSL Server and Subsystem key algorithm, key size, and key type should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, and rsa --> ecc, respectively. +.PP +Additionally, for a CA subsystem, both the CA and OCSP Signing key algorithm, key size, key type, and signing algorithm should be changed from SHA256withRSA --> SHA256withEC, 2048 --> nistp256, rsa --> ecc, and SHA256withRSA --> SHA256withEC,respectively. +.TP +\fBNote:\fP +For all PKI subsystems including the CA, ECC is not supported for the corresponding Audit Signing parameters. Similarly, for KRA subsystems, ECC is not supported for either of the corresponding Storage or Transport parameters. .SS KRA, OCSP, or TKS using default configuration \x'-1'\fBpkispawn \-s <subsystem> \-f myconfig.txt\fR .PP |