Unable to restrict key pair algorithm selection when enrolling via RA web interface #879
-
|
Hello everyone, I'm currently evaluating EJBCA for a potential enterprise deployment for my clients, and I’ve encountered something I don’t fully understand regarding key algorithm restrictions. Here’s my current setup: In the Certificate Profile (for server authentication), I have restricted the available key algorithms to a specific subset (see screenshot below):
And this is the End Entity Profile linked to this cert profile:
However, when I access the RA web interface and attempt to enroll for a certificate where the key pair is to be generated by the CA, the dropdown allows me to select all available key algorithms, not just the ones configured in the profiles:
I know that the certificate's algorithm and the key pair’s algorithm can differ (e.g., signing an ECDSA key with an RSA CA is valid). However, I was under the impression that by configuring these constraints in the certificate and end entity profiles, I was also restricting what algorithms the CA would allow for key pair generation — especially from the RA interface. Is there a way to enforce algorithm restrictions on the key pair generation step, specifically when the keys are to be generated by the CA through the RA web interface? Or are the certificate profile algorithm constraints only applied to the signing operation, and not to the algorithm used for the key pair itself? Thanks in advance for your help |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
The SERVER certificate profile that you have selected in the End Entity profile is a fixed template profile. In the end entity profile you need to select the certificate profile that you configured as "default" and "available". In the RA web you first select "Certificate type" which is the end entity profile, after that you select the "Certificate subtype" which is the certificate profile. As certificate subtype you should then select the certificate profile that you have restricted, and the options will be limited. |
Beta Was this translation helpful? Give feedback.
-
|
I am so dumb. Sorry to have wasted your time. |
Beta Was this translation helpful? Give feedback.
-
|
Happy to be of help. |
Beta Was this translation helpful? Give feedback.
The SERVER certificate profile that you have selected in the End Entity profile is a fixed template profile. In the end entity profile you need to select the certificate profile that you configured as "default" and "available". In the RA web you first select "Certificate type" which is the end entity profile, after that you select the "Certificate subtype" which is the certificate profile. As certificate subtype you should then select the certificate profile that you have restricted, and the options will be limited.