Hi, > Not all of our SCEP clients support the same signature algorithm. When they > generate a CSR some have sha1 and others sha256, but the certificate is always > generated with what i configure in profile/default.yaml. > > Is there a way to configure the certificate signature algorithm based on the > CSR signature algorithm?
Currently not. It is certainly possible to modify the system (it is very flexible), but we consider the signature algorithm as a part of the CA policy which should be enforced by the CA and not provided by the end entity. Certificate profiles can have different signature algorithms, so this is a way to make the signature algorithm selectable by the requester. What you could also do is define a different SCEP endpoint with a different default certificate profile. Please note that the client actually can request a profile by using a certificate extension in the CSR. If the server is properly configured, it can extract the requested profile, map it to an internal profile name (if necessary) and use the requested profile for issuance. > How can i add a selection field for the signature algorithm > in the key generation form on the web ui? See above. The proper way to do this is to define a separate profile with a different signature algorithm and let the user choose between the the profiles. cheers Martin ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
