Overview#
CA signing or designated SCEP signing certificates can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.
Router certificate request can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.
Router certificate can be generated using SHA2 algorithms. This is configurable through either caRouterCert profile defaults and constraints for signing algorithms or CA’s default signing algorithm defined.
SCEP message (in PKCS7 format) can be generated using SHA2 algorithms:
Server side messages are configured within ca.scep section of CS.cfg (ca.scep.hashAlgorithm=SHA512).
Client side messages are configured by SSCEP client configuration
Testing with SSCEP#
Testing with Key Manager#
Test Results#
SCEP unit testing was performed using SSCEP and FF Key Manager as SCEP clients:
Signing cer tificate |
SCEP cer tificate |
SCEP request |
SCEP response |
PKCS10 request |
|
MD5 |
|||||
SHA1 |
|||||
** SHA256** |
` Modified S SCEP <#S SCEP_Upd ates>`__ |
` Modified S SCEP <#S SCEP_Upd ates>`__ |
` Modified S SCEP <#S SCEP_Upd ates>`__ |
` Modified Request Ge neration
|
|
** SHA512** |
` Modified S SCEP <#S SCEP_Upd ates>`__ |
` Modified S SCEP <#S SCEP_Upd ates>`__ |
` Modified S SCEP <#S SCEP_Upd ates>`__ |
` Modified Request Ge neration
|