Bug 499494

Summary: change CA defaults to SHA2
Product: [Retired] Dogtag Certificate System Reporter: Chandrasekar Kannan <ckannan>
Component: CAAssignee: Christina Fu <cfu>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: awnuk, benl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-04 20:25:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 445047    
Attachments:
Description Flags
changed default from sha1 to sha256 in FileSigningInput
awnuk: review+
removed hardcoded sha1 sig alg for profile awnuk: review+

Description Chandrasekar Kannan 2009-05-06 21:01:23 UTC 
currently SHA1 is not recommended by security experts. 
We should switch our defaults to use sha2
Comment 16 Kashyap Chamarthy 2011-01-04 12:34:42 UTC 
VERIFIED
CS 8.1 nightly(21st Dec 2010 build) ; x86_64
RHEL5.6 nightly ; x86_64

Procedures for several fixes in comment #8, comment #11, comment #12:

1/ Signing algorithms in CS.cfg of CA are all SHA256
===========================
[root@cspki yum.repos.d]# grep SHA256 /var/lib/pki-ca/conf/CS.cfg 
ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
cloning.audit_signing.keyalgorithm=SHA256withRSA
cloning.ocsp_signing.keyalgorithm=SHA256withRSA
cloning.subsystem.keyalgorithm=SHA256withRSA
[root@cspki yum.repos.d]# 
=============================

2/ Adding a new profile results in setting it's signing algorithm to '-' (which is the CA's default - SHA256withRSA )

3/ Adding a new CRL issuing point results  in "Revocation list signing algorithm" value as SHA256withRSA