Bug 499494 - change CA defaults to SHA2
change CA defaults to SHA2
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: CA (Show other bugs)
unspecified
All Linux
high Severity medium
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2009-05-06 17:01 EDT by Chandrasekar Kannan
Modified: 2015-01-05 20:19 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 16:25:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
changed default from sha1 to sha256 in FileSigningInput (972 bytes, patch)
2010-11-14 18:34 EST, Christina Fu
awnuk: review+
Details | Diff
removed hardcoded sha1 sig alg for profile (1.54 KB, patch)
2010-11-16 15:57 EST, Christina Fu
awnuk: review+
Details | Diff

  None (edit)
Description Chandrasekar Kannan 2009-05-06 17:01:23 EDT
currently SHA1 is not recommended by security experts. 
We should switch our defaults to use sha2
Comment 16 Kashyap Chamarthy 2011-01-04 07:34:42 EST
VERIFIED
CS 8.1 nightly(21st Dec 2010 build) ; x86_64
RHEL5.6 nightly ; x86_64

Procedures for several fixes in comment #8, comment #11, comment #12:

1/ Signing algorithms in CS.cfg of CA are all SHA256
===========================
[root@cspki yum.repos.d]# grep SHA256 /var/lib/pki-ca/conf/CS.cfg 
ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
cloning.audit_signing.keyalgorithm=SHA256withRSA
cloning.ocsp_signing.keyalgorithm=SHA256withRSA
cloning.subsystem.keyalgorithm=SHA256withRSA
[root@cspki yum.repos.d]# 
=============================

2/ Adding a new profile results in setting it's signing algorithm to '-' (which is the CA's default - SHA256withRSA )

3/ Adding a new CRL issuing point results  in "Revocation list signing algorithm" value as SHA256withRSA

Note You need to log in before you can comment on or make changes to this bug.