When signing a SHA256 CA off a SHA1 Root CA it does not have a SHA256 signature algorithm in RCM
Originally Published: 2011-09-26
Article Number
Applies To
RSA Certificate Manager (RCM)
Secure Hash Algorithm (SHA-1)
Secure Hash Algorithm (SHA-256)
Secure Hash Algorithm (SHA-384)
Secure Hash Algorithm (SHA-512)
Issue
If RootCA is configured with SHA1 digest algorithm, even though SubCA requested with SHA256 algorithm - the SubCA issued with SHA1 signature algorithm.
Resolution
The behavior of RCM:
-----------------------------------------
1. If RootCA is configured with SHA1 digest algorithm, even though SubCA requested with SHA2 algorithm - the SubCA issued with SHA1 signature algorithm. Here, the SubCA is submitted as certificate request to Root CA and it is issued by the Root CA with its signature algorithm.
2. If we submit the certificate request to Sub CA, the certificate is issued with SHA2 signature algorithm.
3. If we submit the certificate request to Root CA, the certificate is issued with SHA1 signature algorithm.
-----------------------------------------
The link below says that even though you request SHA2, the root CA is configured to sign with SHA1, so it will continue to use SHA1:
http://www.networksteve.com/forum/topic.php/Cannot_Issue_Certificate_Signed_with_SHA256/?TopicId=421&Posts=3
RCM behaves similar to Microsoft CA both in Sub CA creation and certificate issuance.
Examples of RCM behavior:
A) Create a self-signed CA (say, RootCA) with SHA256:
- RootCA certificate will show SHA256
- RCM admin interface => CA Operations workbench => View CA page will show SHA256
- Any certificates (other CA's or end-entities) signed by RootCA will use SHA256
A) Create a self-signed CA (say, RootCA) with SHA256:
- RootCA certificate will show SHA256
- RCM admin interface => CA Operations workbench => View CA page will show SHA256
- Any certificates (other CA's or end-entities) signed by RootCA will use SHA256
B) Create a subordinate CA (say, SubCA-1) signed by RootCA, choose key/hash for SubCA-1 as RSA/2048/SHA1:
- SubCA-1 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA1 (because SHA1 was selected during SubCA-1 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-1 will use SHA1
- SubCA-1 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA1 (because SHA1 was selected during SubCA-1 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-1 will use SHA1
C) Create another subordinate CA (say, SubCA-2) signed by RootCA, choose key/hash for SubCA-2 as RSA/2048/SHA256:
- SubCA-2 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA256 (because SHA256 was selected during SubCA-2 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-2 will use SHA256
D) Create a third subordinate CA (say, SubCA-3) signed by RootCA, choose key/hash for SubCA-3 as RSA/2048/SHA384:
- SubCA-3 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA384 (because SHA384 was selected during SubCA-3 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-3 will use SHA384
E) Create a fourth subordinate CA (say, SubCA-5) signed by RootCA, choose key/hash for SubCA-5 as RSA/2048/SHA512:
- SubCA-5 certificate will show SHA256 (because it's signed by RootCA that uses SHA256)
- RCM admin interface => CA Operations workbench => View CA page will show SHA512 (because SHA512 was selected during SubCA-5 creation)
- Any certificates (other CA's or end-entities) signed by SubCA-5 will use SHA512
Notes
CERTMGR-3831
CERTMGR-3959
Related Articles
StealthAUDIT hosts have a status of Offline in RSA Identity Governance and Lifecycle Number of Views Cannot attach Authentication Manager 8.1 replica server following migration from 7.1; user name specified does not have a … Number of Views User Access Reviews defined with the Default Reviewer Interface Style in 7.1.x have a 5000 review item export limit in RSA… Number of Views RSA Identity Governance & Lifecycle scheduled report generation with attachments in email fails when having a slash (/) in… Number of Views RSA SecurID Web Tier is not working and has a status of "Offline" or "Offline, reinstall required" in the Authentication M… Number of Views
Trending Articles
RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
