currently SHA1 is not recommended by security experts. We should switch our defaults to use sha2
VERIFIED CS 8.1 nightly(21st Dec 2010 build) ; x86_64 RHEL5.6 nightly ; x86_64 Procedures for several fixes in comment #8, comment #11, comment #12: 1/ Signing algorithms in CS.cfg of CA are all SHA256 =========================== [root@cspki yum.repos.d]# grep SHA256 /var/lib/pki-ca/conf/CS.cfg ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 cloning.audit_signing.keyalgorithm=SHA256withRSA cloning.ocsp_signing.keyalgorithm=SHA256withRSA cloning.subsystem.keyalgorithm=SHA256withRSA [root@cspki yum.repos.d]# ============================= 2/ Adding a new profile results in setting it's signing algorithm to '-' (which is the CA's default - SHA256withRSA ) 3/ Adding a new CRL issuing point results in "Revocation list signing algorithm" value as SHA256withRSA