SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS
by Project Administrtor
Let's summarize:
1. update-crypto-policies --set DEFAULT:SHA1
make set of SCEP security, described in 5.8.2. Configuring Security
Settings for SCEP
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/...
2. With last generation Cisco devices - all correct with SCEP enrolment
and Dogtag 11.8.4, optionally
- crypto pki trustpool import clean [terminal | url url]
- crypto pki trustpool import {terminal} {url url | ca-bundle} {vrf
vrf-name | source interface
interface-name}
- chain-validation stop
- password [stroke]
- hash sha256
- rsakeypair [key-label key-size encryption-key-size]
not work with eckeypair [label], no any csr request, with error: not
found private key for eckeypair :(
3. Router(config)# crypto ca auth [trustpoint name]
4. Unmark UID: and PWD in flatfile.txt, set UID:ip_addr_of_router and
PWD:[stroke], then, with debug
Crypto PKI Msg debugging is on
Crypto PKI Trans debugging is on
Crypto PKI Certificate Server debugging is on
Crypto PKI SCEP Messages debugging is on
Router(config)# crypto pki enroll [trustpoint name]
Insert serial number(yes/no)?
Request certificate from CA(yes/no)?
All done.
5. Unfortunately, the old Cisco hardware with IOS >=12.X and SHA-1
cannot request certs, due Subj.
2 weeks, 4 days
SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS
by Project Administrator
Dear colleagues,
Dogtah version - 11.8.4, a lot of old cisco devices should be supported, and we got this message on pkic-tomcat server when
tried to
(configure) crypto pki enroll PKI.LVM
2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for servlet [caDynamicProfileSCEP] in context with path
[/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: no such algorithm: SHA1/RSA for
provider Mozilla-JSS]
Prerequisites: all parameters for SCEP Security was enabled:
ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nickname=Server-Cert
ca.scep.nonceSizeLimit=20
2 weeks, 6 days
SCEP enrollment
by admin@postmet.com
Dear colleagues,
Dogtag version - 11.8.4, a lot of old cisco devices should be supported, and we got this message on pkic-tomcat server when
tried to
(configure) crypto pki enroll PKI.LVM
2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for servlet [caDynamicProfileSCEP] in context with path
[/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: no such algorithm: SHA1/RSA for
provider Mozilla-JSS]
Prerequisites: all parameters for SCEP Security was enabled:
ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nickname=Server-Cert
ca.scep.nonceSizeLimit=20
3 weeks
SCEP enrollment
by admin@postmet.com
Dear colleagues,
Dogtag version - 11.8.4, a lot of old cisco devices should be supported, and we got this message on pkic-tomcat server when
tried to
(configure) crypto pki enroll PKI.LVM
2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for servlet [caDynamicProfileSCEP] in context with path
[/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: no such algorithm: SHA1/RSA for
provider Mozilla-JSS]
Prerequisites: all parameters for SCEP Security was enabled:
ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nickname=Server-Cert
ca.scep.nonceSizeLimit=20
3 weeks