you may need to change the system's cryptographic policies to either "LEGACY" or "DEFAULT:SHA1", as SHA-1 has been deprecated:

update-crypto-policies --set DEFAULT:SHA1

reboot and test again

see:

man update-crypto-policies

man crypto-policies

doc link:

3.3. Setting up system-wide cryptographic policies in the web console

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#ref_list-of-rhel-applications-using-cryptography-that-is-not-compliant-with-fips-140-2_using-the-system-wide-cryptographic-policies

note that AES support was added to SCEP in RHCS-10.4 on RHEL-8.6:

https://access.redhat.com/errata/RHSA-2024:0774

with:

jss-4.9.8-1.module+el8pki+19895+c800dfbd

tomcatjss-7.7.3-1.module+el8pki+19895+c800dfbd

redhat-pki-10.13.9-5.module+el8pki+21062+4ed906e8

On Mon, Apr 8, 2024 at 10:01 AM Project Administrator <admin@postmet.com> wrote:

Dear colleagues,

Dogtah version - 11.8.4, a lot of old cisco devices should be supported, and we got this message on pkic-tomcat server when
tried to
(configure) crypto pki enroll PKI.LVM

2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for servlet [caDynamicProfileSCEP] in context with path
[/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: no such algorithm: SHA1/RSA for
provider Mozilla-JSS]

Prerequisites: all parameters for SCEP Security was enabled:

ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.hashAlgorithm=SHA1
ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
ca.scep.nickname=Server-Cert
ca.scep.nonceSizeLimit=20

_______________________________________________
Pki-users mailing list -- users@lists.dogtagpki.org
To unsubscribe send an email to users-leave@lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s