000027011 - When signing a SHA256 CA off a SHA1 Root CA  it does not have a SHA256 signature algorithm in RCM

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000027011
Applies ToRSA Certificate Manager 6.8
RSA Certificate Manager (RCM)
Secure Hash Algorithm (SHA-1)
Secure Hash Algorithm (SHA-256)
Secure Hash Algorithm (SHA-384)
Secure Hash Algorithm (SHA-512)
IssueWhen signing a SHA256 CA off a SHA1 Root CA, it does not have a SHA256 signature algorithm
If RootCA is configured with SHA1 digest algorithm, even though SubCA requested with SHA256 algorithm - the SubCA issued with SHA1 signature algorithm.
Resolution

The behavior of RCM:
-----------------------------------------
1. If RootCA is configured with SHA1 digest algorithm, even though SubCA requested with SHA2 algorithm - the SubCA issued with SHA1 signature algorithm. Here, the SubCA is submitted as certificate request to Root CA and it is issued by the Root CA with its signature algorithm.
2. If we submit the certificate request to Sub CA, the certificate is issued with SHA2 signature algorithm.
3. If we submit the certificate request to Root CA, the certificate is issued with SHA1 signature algorithm.
-----------------------------------------
The link below says that even though you request SHA2, the root CA is configured to sign with SHA1, so it will continue to use SHA1:
http://www.networksteve.com/forum/topic.php/Cannot_Issue_Certificate_Signed_with_SHA256/?TopicId=421&Posts=3
RCM behaves similar to Microsoft CA both in Sub CA creation and certificate issuance.



 
Examples of RCM behavior:
A) Create a self-signed CA (say, RootCA) with SHA256:
    - RootCA certificate will show SHA256
    - RCM admin interface => CA Operations workbench => View CA page will show SHA256
    - Any certificates (other CA's or end-entities) signed by RootCA will use SHA256

B) Create a subordinate CA (say, SubCA-1) signed by RootCA, choose key/hash for SubCA-1 as RSA/2048/SHA1:
    - SubCA-1 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
    - RCM admin interface => CA Operations workbench => View CA page will show SHA1 (because SHA1 was selected during SubCA-1 creation)
    - Any certificates (other CA's or end-entities) signed by SubCA-1 will use SHA1


C) Create another subordinate CA (say, SubCA-2) signed by RootCA, choose key/hash for SubCA-2 as RSA/2048/SHA256:
    - SubCA-2 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
    - RCM admin interface => CA Operations workbench => View CA page will show SHA256 (because SHA256 was selected during SubCA-2 creation)
    - Any certificates (other CA's or end-entities) signed by SubCA-2 will use SHA256


D) Create a third subordinate CA (say, SubCA-3) signed by RootCA, choose key/hash for SubCA-3 as RSA/2048/SHA384:
    - SubCA-3 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
    - RCM admin interface => CA Operations workbench => View CA page will show SHA384 (because SHA384 was selected during SubCA-3 creation)
    - Any certificates (other CA's or end-entities) signed by SubCA-3 will use SHA384


E) Create a fourth subordinate CA (say, SubCA-5) signed by RootCA, choose key/hash for SubCA-5 as RSA/2048/SHA512:
    - SubCA-5 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
    - RCM admin interface => CA Operations workbench => View CA page will show SHA512 (because SHA512 was selected during SubCA-5 creation)
    - Any certificates (other CA's or end-entities) signed by SubCA-5 will use SHA512
NotesCERTMGR-3844
CERTMGR-3831
CERTMGR-3959
Legacy Article IDa56054

Attachments

    Outcomes