000031048 - Certificate Signing Requests show Signature Algorithm: sha1WithRSAEncryption not SHA-256 sha256WithRSAEncryptionSHA-256 Certs incompatible with Java 1.6

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000031048
Applies ToRSA Product Set: Identity Management and Governance
RSA Product/Service Type: Appliance
RSA Version/Condition: 6.9.1
Platform: Linux
Platform (Other): null
O/S Version: Suse Linux
Product Name: RSA-0018035
Product Description: IMG R620 Appliance ACM/AFX/Lifecycle
IssueIf a customer is trying to replace the self-signed certificates with certificates signed by a CA (Certificate Authority), and they examine the CSR (Certificate Signing Request) they may be concerned that it shows:
Signature Algorithm: sha1WithRSAEncryption
and not a higher level of security, such as SHA-2 SHA-256 sha256WithRSAEncryption (different names for the same thing).
CauseThis is caused by the JDK 1.6 keytool utility, that is installed by default with versions of IMG through 6.9.1 . This version of keytool makes a keypair and CSR with a sha1WithRSAEncryption signature , even if you specify (not in the docs):
-sigalg SHA256withRSA
ResolutionThis is only related to to the hash strength for checksum validation or tamper evidence of the CSR itself, until it is signed. It will have no effect on which signature algorithm the CA chooses to sign the certificate itself, and typically a CA will choose a stronger algorithm.  Once the certificate has been generated and signed with a stronger algorithm, the weaker algorithm used by the CSR is no longer relevant.   
NotesNote: The next version of IMG will use JDK 1.7, which has an updated keytool utility.