[Pki-users] Re: SCEP enrollment: No such algorithm: SHA1/RSA for provider Mozilla-JSS

you may need to change the system's cryptographic policies to either "LEGACY" or "DEFAULT:SHA1", as SHA-1 has been deprecated: update-crypto-policies --set DEFAULT:SHA1 reboot and test again see: man update-crypto-policies man crypto-policies doc link: 3.3. Setting up system-wide cryptographic policies in the web console https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... note that AES support was added to SCEP in RHCS-10.4 on RHEL-8.6: https://access.redhat.com/errata/RHSA-2024:0774 with: jss-4.9.8-1.module+el8pki+19895+c800dfbd tomcatjss-7.7.3-1.module+el8pki+19895+c800dfbd redhat-pki-10.13.9-5.module+el8pki+21062+4ed906e8 On Mon, Apr 8, 2024 at 10:01 AM Project Administrator <admin(a)postmet.com&gt; wrote: > Dear colleagues, > > Dogtah version - 11.8.4, a lot of old cisco devices should be supported, > and we got this message on pkic-tomcat server when > tried to > (configure) crypto pki enroll PKI.LVM > > 2024-04-08 18:18:37 [http-nio-8080-exec-17] SEVERE: Servlet.service() for > servlet [caDynamicProfileSCEP] in context with path > [/ca] threw exception [Couldn't handle CEP request (PKCSReq) - Could not > unwrap PKCS10 blob: no such algorithm: SHA1/RSA for > provider Mozilla-JSS] > > Prerequisites: all parameters for SCEP Security was enabled: > > ca.scep.encryptionAlgorithm=DES3 > ca.scep.allowedEncryptionAlgorithms=DES3 > ca.scep.hashAlgorithm=SHA1 > ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 > ca.scep.nickname=Server-Cert > ca.scep.nonceSizeLimit=20 > > _______________________________________________ > Pki-users mailing list -- users(a)lists.dogtagpki.org > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s