[Pki-users] Re: SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS
you may need to change the system's cryptographic policies to either
"LEGACY" or "DEFAULT:SHA1", as SHA-1 has been deprecated:
update-crypto-policies --set DEFAULT:SHA1
reboot and test again
see:
man update-crypto-policies
man crypto-policies
doc link:
3.3. Setting up system-wide cryptographic policies in the web console
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
note that AES support was added to SCEP in RHCS-10.4 on RHEL-8.6:
https://access.redhat.com/errata/RHSA-2024:0774
with:
jss-4.9.8-1.module+el8pki+19895+c800dfbd
tomcatjss-7.7.3-1.module+el8pki+19895+c800dfbd
redhat-pki-10.13.9-5.module+el8pki+21062+4ed906e8
On Mon, Apr 8, 2024 at 10:01 AM Project Administrator <admin(a)postmet.com>
wrote:
Dear colleagues,
Dogtah version - 11.8.4, a lot of old cisco devices should be supported,
and we got this message on pkic-tomcat server when
tried to
(configure) crypto pki enroll PKI.LVM
2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for
servlet [caDynamicProfileSCEP] in context with path
[/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not
unwrap PKCS10 blob: no such algorithm: SHA1/RSA for
provider Mozilla-JSS]
Prerequisites: all parameters for SCEP Security was enabled:
ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nickname=Server-Cert
ca.scep.nonceSizeLimit=20
_______________________________________________
Pki-users mailing list -- users(a)lists.dogtagpki.org
To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
Attachments:
- attachment.html (text/html — 3.0 KB)