ejbca-develop

[Ejbca-develop] Using certificate fingerprint sha2 for End Entities

[Ralf H. <rh...@hc...>]

Hello,

I use EJBCA 4.0.16 (r17223) Jboss 5.1.0 GA.

I dont see any chance to change the algorithm for the fingerprint extension
to anything else than sha1.
Browsers like chrome require certificate fingerprints of sha2.

How can this extension be changed?
Thanks and best regards

Ralf

Re: [Ejbca-develop] Using certificate fingerprint sha2 for End Entities

[Tomas G. <to...@pr...>]

What is the fingerprint extension?

If you mean digital signature algorithm to be SHA256WithRSA, you can 
select it in the web gui.

Regards,
Tomas

On 2015-05-06 13:18, Ralf Hornik wrote:
> Hello,
>
> I use EJBCA 4.0.16 (r17223) Jboss 5.1.0 GA.
>
> I dont see any chance to change the algorithm for the fingerprint extension
> to anything else than sha1.
> Browsers like chrome require certificate fingerprints of sha2.
>
> How can this extension be changed?
> Thanks and best regards
>
> Ralf
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

Re: [Ejbca-develop] Using certificate fingerprint sha2 for End Entities

[Ralf H. <rh...@hc...>]

Hi,

> What is the fingerprint extension?

[root@ca-pb ~]# openssl x509 -in cert.pem -noout -fingerprint
SHA1 Fingerprint=2B:D1:C3:77:42:95:F4:09:CC:A0:4D:3F:05:5F:44:15:27:1A:0D:42

This also defaults to sha1 in Browsers displays. But as i see this is not a
real x509 extension as openssl does not show it. I'll need to look for
another problem. :-)

>If you mean digital signature algorithm to be SHA256WithRSA, you can select
it in the web gui.

This I already set :-)
Thank you

Ralf

Re: [Ejbca-develop] Using certificate fingerprint sha2 for End Entities

[Michael S. <mi...@st...>]

Ralf Hornik wrote:
>> What is the fingerprint extension?
>
> [root@ca-pb ~]# openssl x509 -in cert.pem -noout -fingerprint
> SHA1 Fingerprint=2B:D1:C3:77:42:95:F4:09:CC:A0:4D:3F:05:5F:44:15:27:1A:0D:42

This is simply the hash checksum calculated for the raw binary data, in this 
case by OpenSSL.
=> You have to consult the OpenSSL docs to see how to use another hash 
algorithm for fingerprint calculation.

BTW: If you want to provide fingerprints for out-of-band verification of trust 
anchor certs you have to provide each algorithm any client might use.

Ciao, Michael.

Re: [Ejbca-develop] Using certificate fingerprint sha2 for End Entities

[Michael S. <mi...@st...>]

Ralf Hornik wrote:
> I use EJBCA 4.0.16 (r17223) Jboss 5.1.0 GA.
>
> I dont see any chance to change the algorithm for the fingerprint extension
> to anything else than sha1.
> Browsers like chrome require certificate fingerprints of sha2.

Are you talking about certificate fingerprints or the certificate signature 
algorithm? I guess it's the latter.

> How can this extension be changed?

It's likely not a X.509v3 extension what you're talking about.

You should look into the certificate profile(s):

There you can choose SHA256WithRSA as the signature algorithm used when 
issuing certs. IIRC this already worked with EJBCA 4.0.16 though I'm not sure 
whether the Java version you're using is capable of doing that.

Ciao, Michael.

Re: [Ejbca-develop] Using certificate fingerprint sha2 for End Entities

[Anders R. <and...@gm...>]

AKI and SKI?

Anders

On 2015-05-06 13:45, Michael Ströder wrote:
> Ralf Hornik wrote:
>> I use EJBCA 4.0.16 (r17223) Jboss 5.1.0 GA.
>>
>> I dont see any chance to change the algorithm for the fingerprint extension
>> to anything else than sha1.
>> Browsers like chrome require certificate fingerprints of sha2.
> Are you talking about certificate fingerprints or the certificate signature
> algorithm? I guess it's the latter.
>
>> How can this extension be changed?
> It's likely not a X.509v3 extension what you're talking about.
>
> You should look into the certificate profile(s):
>
> There you can choose SHA256WithRSA as the signature algorithm used when
> issuing certs. IIRC this already worked with EJBCA 4.0.16 though I'm not sure
> whether the Java version you're using is capable of doing that.
>
> Ciao, Michael.
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop