[Pki-users] Re: SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS
SHA-1 may have been removed from JSS: https://github.com/dogtagpki/jss/pull/950 On Mon, Apr 8, 2024 at 1:01 PM Marc Sauton wrote: > you may need to change the system's cryptographic policies to either > "LEGACY" or "DEFAULT:SHA1", as SHA-1 has been deprecated: > > update-crypto-policies --set DEFAULT:SHA1 > reboot and test again > > see: > man update-crypto-policies > man crypto-policies > > doc link: > 3.3. Setting up system-wide cryptographic policies in the web console > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#ref_list-of-rhel-applications-using-cryptography-that-is-not-compliant-with-fips-140-2_using-the-system-wide-cryptographic-policies > > note that AES support was added to SCEP in RHCS-10.4 on RHEL-8.6: > https://access.redhat.com/errata/RHSA-2024:0774 > with: > jss-4.9.8-1.module+el8pki+19895+c800dfbd > tomcatjss-7.7.3-1.module+el8pki+19895+c800dfbd > redhat-pki-10.13.9-5.module+el8pki+21062+4ed906e8 > > > On Mon, Apr 8, 2024 at 10:01 AM Project Administrator > wrote: > >> Dear colleagues, >> >> Dogtah version - 11.8.4, a lot of old cisco devices should be supported, >> and we got this message on pkic-tomcat server when >> tried to >> (configure) crypto pki enroll PKI.LVM >> >> 2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for >> servlet [caDynamicProfileSCEP] in context with path >> [/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not >> unwrap PKCS10 blob: no such algorithm: SHA1/RSA for >> provider Mozilla-JSS] >> >> Prerequisites: all parameters for SCEP Security was enabled: >> >> ca.scep.encryptionAlgorithm=DES3 >> ca.scep.allowedEncryptionAlgorithms=DES3 >> ca.scep.hashAlgorithm=SHA1 >> ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 >> ca.scep.nickname=Server-Cert >> ca.scep.nonceSizeLimit=20 >> >> ___ >> Pki-users mailing list -- users@lists.dogtagpki.org >> To unsubscribe send an email to users-le...@lists.dogtagpki.org >> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s > > ___ Pki-users mailing list -- users@lists.dogtagpki.org To unsubscribe send an email to users-le...@lists.dogtagpki.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[Pki-users] Re: SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS
you may need to change the system's cryptographic policies to either "LEGACY" or "DEFAULT:SHA1", as SHA-1 has been deprecated: update-crypto-policies --set DEFAULT:SHA1 reboot and test again see: man update-crypto-policies man crypto-policies doc link: 3.3. Setting up system-wide cryptographic policies in the web console https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#ref_list-of-rhel-applications-using-cryptography-that-is-not-compliant-with-fips-140-2_using-the-system-wide-cryptographic-policies note that AES support was added to SCEP in RHCS-10.4 on RHEL-8.6: https://access.redhat.com/errata/RHSA-2024:0774 with: jss-4.9.8-1.module+el8pki+19895+c800dfbd tomcatjss-7.7.3-1.module+el8pki+19895+c800dfbd redhat-pki-10.13.9-5.module+el8pki+21062+4ed906e8 On Mon, Apr 8, 2024 at 10:01 AM Project Administrator wrote: > Dear colleagues, > > Dogtah version - 11.8.4, a lot of old cisco devices should be supported, > and we got this message on pkic-tomcat server when > tried to > (configure) crypto pki enroll PKI.LVM > > 2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for > servlet [caDynamicProfileSCEP] in context with path > [/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not > unwrap PKCS10 blob: no such algorithm: SHA1/RSA for > provider Mozilla-JSS] > > Prerequisites: all parameters for SCEP Security was enabled: > > ca.scep.encryptionAlgorithm=DES3 > ca.scep.allowedEncryptionAlgorithms=DES3 > ca.scep.hashAlgorithm=SHA1 > ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 > ca.scep.nickname=Server-Cert > ca.scep.nonceSizeLimit=20 > > ___ > Pki-users mailing list -- users@lists.dogtagpki.org > To unsubscribe send an email to users-le...@lists.dogtagpki.org > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s ___ Pki-users mailing list -- users@lists.dogtagpki.org To unsubscribe send an email to users-le...@lists.dogtagpki.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[Pki-users] SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS
Dear colleagues, Dogtah version - 11.8.4, a lot of old cisco devices should be supported, and we got this message on pkic-tomcat server when tried to (configure) crypto pki enroll PKI.LVM 2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for servlet [caDynamicProfileSCEP] in context with path [/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: no such algorithm: SHA1/RSA for provider Mozilla-JSS] Prerequisites: all parameters for SCEP Security was enabled: ca.scep.encryptionAlgorithm=DES3 ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.hashAlgorithm=SHA1 ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ca.scep.nickname=Server-Cert ca.scep.nonceSizeLimit=20 ___ Pki-users mailing list -- users@lists.dogtagpki.org To unsubscribe send an email to users-le...@lists.dogtagpki.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[Pki-users] SCEP enrollment
Dear colleagues, Dogtag version - 11.8.4, a lot of old cisco devices should be supported, and we got this message on pkic-tomcat server when tried to (configure) crypto pki enroll PKI.LVM 2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for servlet [caDynamicProfileSCEP] in context with path [/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: no such algorithm: SHA1/RSA for provider Mozilla-JSS] Prerequisites: all parameters for SCEP Security was enabled: ca.scep.encryptionAlgorithm=DES3 ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.hashAlgorithm=SHA1 ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ca.scep.nickname=Server-Cert ca.scep.nonceSizeLimit=20 ___ Pki-users mailing list -- users@lists.dogtagpki.org To unsubscribe send an email to users-le...@lists.dogtagpki.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[Pki-users] SCEP enrollment
Dear colleagues, Dogtag version - 11.8.4, a lot of old cisco devices should be supported, and we got this message on pkic-tomcat server when tried to (configure) crypto pki enroll PKI.LVM 2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for servlet [caDynamicProfileSCEP] in context with path [/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: no such algorithm: SHA1/RSA for provider Mozilla-JSS] Prerequisites: all parameters for SCEP Security was enabled: ca.scep.encryptionAlgorithm=DES3 ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.hashAlgorithm=SHA1 ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ca.scep.nickname=Server-Cert ca.scep.nonceSizeLimit=20 ___ Pki-users mailing list -- users@lists.dogtagpki.org To unsubscribe send an email to users-le...@lists.dogtagpki.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s