RSA Certificate Manager (RCM)
Secure Hash Algorithm (SHA-1)
Secure Hash Algorithm (SHA-256)
Secure Hash Algorithm (SHA-384)
Secure Hash Algorithm (SHA-512)
If RootCA is configured with SHA1 digest algorithm, even though SubCA requested with SHA256 algorithm - the SubCA issued with SHA1 signature algorithm.
The behavior of RCM:
-----------------------------------------
1. If RootCA is configured with SHA1 digest algorithm, even though SubCA requested with SHA2 algorithm - the SubCA issued with SHA1 signature algorithm. Here, the SubCA is submitted as certificate request to Root CA and it is issued by the Root CA with its signature algorithm.
2. If we submit the certificate request to Sub CA, the certificate is issued with SHA2 signature algorithm.
3. If we submit the certificate request to Root CA, the certificate is issued with SHA1 signature algorithm.
-----------------------------------------
The link below says that even though you request SHA2, the root CA is configured to sign with SHA1, so it will continue to use SHA1:
http://www.networksteve.com/forum/topic.php/Cannot_Issue_Certificate_Signed_with_SHA256/?TopicId=421&Posts=3
RCM behaves similar to Microsoft CA both in Sub CA creation and certificate issuance.
A) Create a self-signed CA (say, RootCA) with SHA256:
- RootCA certificate will show SHA256
- RCM admin interface => CA Operations workbench => View CA page will show SHA256
- Any certificates (other CA's or end-entities) signed by RootCA will use SHA256
- SubCA-1 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA1 (because SHA1 was selected during SubCA-1 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-1 will use SHA1
C) Create another subordinate CA (say, SubCA-2) signed by RootCA, choose key/hash for SubCA-2 as RSA/2048/SHA256:
- SubCA-2 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA256 (because SHA256 was selected during SubCA-2 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-2 will use SHA256
D) Create a third subordinate CA (say, SubCA-3) signed by RootCA, choose key/hash for SubCA-3 as RSA/2048/SHA384:
- SubCA-3 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA384 (because SHA384 was selected during SubCA-3 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-3 will use SHA384
E) Create a fourth subordinate CA (say, SubCA-5) signed by RootCA, choose key/hash for SubCA-5 as RSA/2048/SHA512:
- SubCA-5 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA512 (because SHA512 was selected during SubCA-5 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-5 will use SHA512
CERTMGR-3831
CERTMGR-3959
Related Articles
StealthAUDIT hosts have a status of Offline in RSA Identity Governance and Lifecycle Number of Views Cannot attach Authentication Manager 8.1 replica server following migration from 7.1; user name specified does not have a … Number of Views RSA Identity Governance & Lifecycle scheduled report generation with attachments in email fails when having a slash (/) in… Number of Views User Access Reviews defined with the Default Reviewer Interface Style in 7.1.x have a 5000 review item export limit in RSA… Number of Views RSA SecurID Web Tier is not working and has a status of "Offline" or "Offline, reinstall required" in the Authentication M… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
