|Applies To||RSA Certificate Manager 6.8|
RSA Certificate Manager 6.9 build 557 and earlier
|Issue||How to create a CA hierarchy where one subordinate CA uses SHA1 and another subordinate CA uses SHA2, while both sub CA's are signed by a SHA1 root CA.|
The requirements are to create one Root CA and two Sub CAs, where one sub CA would issue end-entity certificates with SHA1 and the other sub CA would issue end-entity certificates with SHA2 (say, SHA-256). Each of the sub CA certificates (issued by Root CA) should use the same hash type (SHA1 or SHA2) as they would use for signing end-entity certs.
|Resolution||The ability to configure Preferred Digest Algorithm at jurisdiction level for each CA has been added in RSA Certificate Manager 6.9 build 558. Using RSA Certificate Manager 6.9 build 558 (or later), you can configure Preferred Digest Algorithm in CA's jurisdiction(s) to create a CA hierarchy where one subordinate CA uses SHA1 and another subordinate CA uses SHA2, while both sub CA's are signed by a SHA1 root CA.|
For RSA Certificate Manager 6.9 build 557 and eariler deployments that do not allow a CA to choose a hashing/signature algorithm different than the one chosen during its creation, the following workaround can be used to setup a CA hierarchy as mentioned above. For simplicity, RSA-2048bit keys are chosen in the example below.
|Notes||IMPORTANT: When following the workaround, make a full RCM backup before using the listuclass.xuda tool as any inadvertent mistakes in updating records through listuclass.xuda can render your RCM installation unusable.|
|Legacy Article ID||a58531|