000024586 - Which signature algorithms are supported when re-signing server certificates?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000024586
Applies ToSentry CA 3.5 and later
Keon Certificate Authority
TechNote 0192
IssueWhich signature algorithms are supported when re-signing server certificates?
Which signature algorithms are supported when re-signing a server certificate?
ResolutionCertificates used for internal communication within the Sentry product suite need to be signed by a DSA CA. This includes the Secure Directory's root and SSL certificates (the certificates contained in the root.cert and ssl.cert files) and the webserver certificates used in communicating internally with the Secure Directory (this includes the certificates contained in the admin.cert, enrollDSS.cert and enroll.cert files).

The webserver certificates used for client SSL (ie. to a user's web browser) are stored in the file system as the adminServer.cert, enrollDSSServer.cert and enrollServer.cert.  The enrollDSSServer certificate must be signed by a DSA CA.   The other certificates can be signed with either RSA or DSA.  

Note : for supporting all versions of Internet Explorer, you should use RSA as your
        signature algorithm. Versions of MSIE prior to 4.0 with service pack 4.0 do
        not support DSA signing (see the solution "Configuring MSIE 4.x to support DSA CAs").

For Sentry CA 3.7, certificate files are automatically backed up to <file>.bak in the certs directory when re-signing. If you experience a problem after re-signing, restore the backed up certificate file and re-start Sentry.
Legacy Article IDa3689

Attachments

    Outcomes