Overview#

CA signing or designated SCEP signing certificates can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.

Router certificate request can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.

Router certificate can be generated using SHA2 algorithms. This is configurable through either caRouterCert profile defaults and constraints for signing algorithms or CA’s default signing algorithm defined.

SCEP message (in PKCS7 format) can be generated using SHA2 algorithms:

  • Server side messages are configured within ca.scep section of CS.cfg (ca.scep.hashAlgorithm=SHA512).

  • Client side messages are configured by SSCEP client configuration

Testing with SSCEP#

See Testing SCEP Responder with SSCEP.

Testing with Key Manager#

See Testing SCEP Responder with Firefox Key Manager.

Test Results#

SCEP unit testing was performed using SSCEP and FF Key Manager as SCEP clients:

Signing cer tificate

SCEP cer tificate

SCEP request

SCEP response

PKCS10 request

MD5

S SCEP

S SCEP

S SCEP

S SCEP

S SCEP

SHA1

S SCEP

S SCEP

S SCEP

S SCEP

S SCEP

 ** SHA256**

` Modified S SCEP <#S SCEP_Upd ates>`__

` Modified S SCEP <#S SCEP_Upd ates>`__

` Modified S SCEP <#S SCEP_Upd ates>`__

  Key Man ager

` Modified Request Ge neration

<#SCEP_

Request_ Generati on_with_ SHA2>`__

 ** SHA512**

` Modified S SCEP <#S SCEP_Upd ates>`__

` Modified S SCEP <#S SCEP_Upd ates>`__

` Modified S SCEP <#S SCEP_Upd ates>`__

  Key Man ager

` Modified Request Ge neration

<#SCEP_

Request_ Generati on_with_ SHA2>`__