Hi,
> I have created a csr using the elliptic curve secp256k1. When I copy this csr
> in the web interface and try to request a certificate, I get this error:
> "Used key parameter is not allowed by policy (curve_name: 1.3.132.0.10)"
>
> When I do the exact same thing but using the curve secp512r1, I don't have
> this problem.
>
> Further, I edited a few things in the file democa/profile/default.yaml:
> • I added the curve secp256k1 in the section ec: curve_name:
> • at the end of the file I added the string
> "#I18N_OPENXPKI_UI_KEY_CURVE_NAME_SECP256K1"
> But, this does not seem to solve the problem.
>
> Do I have to make some additional changes somewhere else?
Have a look at the comments above the key constraints setting in
config.d/realm.tpl/profile/default.yaml
...
ec:
# those names are used for validation and to render the
# option lit when server key generation is allowed
# The preset is the recommended list from RFC5480
# The possbile "named" curves are limited by the ones supported
# by Crypt::PKCS10 at the moment. For NIST P-192/256 you can use
# either the secpXXXr1 or primeXXXv1 alias
curve_name:
- prime256v1
- secp384r1
- secp521r1
...
As mentioned in the comment, only named curves supported by Crypt::PKCS10 are
accepted here. If you check the documentation of this module you will find that
the curve secp256k1 is not supported by Crypt::PKCS#10.
If you feel you need it (and/or possibly others), I suggest you take the time
to collect a list of OIDs and curve names and submit a pull request via
https://github.com/openxpki/Crypt-PKCS10
BTW, adding the string "#I18N_OPENXPKI_UI_KEY_CURVE_NAME_SECP256K1" literally
does nothing (short of informing the Gnu GetText about a possible translation).
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users