|Applies To||Sentry CA 3.5 and later|
Keon Certificate Authority
|Issue||Which signature algorithms are supported when re-signing server certificates?|
Which signature algorithms are supported when re-signing a server certificate?
|Resolution||Certificates used for internal communication within the Sentry product suite need to be signed by a DSA CA. This includes the Secure Directory's root and SSL certificates (the certificates contained in the root.cert and ssl.cert files) and the webserver certificates used in communicating internally with the Secure Directory (this includes the certificates contained in the admin.cert, enrollDSS.cert and enroll.cert files).|
The webserver certificates used for client SSL (ie. to a user's web browser) are stored in the file system as the adminServer.cert, enrollDSSServer.cert and enrollServer.cert. The enrollDSSServer certificate must be signed by a DSA CA. The other certificates can be signed with either RSA or DSA.
Note : for supporting all versions of Internet Explorer, you should use RSA as your
signature algorithm. Versions of MSIE prior to 4.0 with service pack 4.0 do
not support DSA signing (see the solution "Configuring MSIE 4.x to support DSA CAs").
For Sentry CA 3.7, certificate files are automatically backed up to <file>.bak in the certs directory when re-signing. If you experience a problem after re-signing, restore the backed up certificate file and re-start Sentry.
|Legacy Article ID||a3689|