Does ACF2 support SHA-2 certificates?

Document ID : KB000030672
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

ACF2 supports the creation of SHA-2 certificates as well as the insertion of SHA-2 certificates.

Details:

SHA-2 SSL certificate hashing is a cryptographic algorithm developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). 

 

SHA2 certificates are more secure than all previous algorithms. SHA-2 is a set of cryptographic hash functions 224, 256, 384 or 512 bits. 

TLS 1.2 includes SHA-2 cryptographic hash functions. CA ACF2 supports both SHA-1 and SHA-2. 

 

The signing algorithm is only used when a certificate is signed. The CA ACF2 GENCERT command is used to sign certificates. The GENCERT HASHALG(SHA1|SHA256) parameter overrides the signing algorithm to be used. SHA1 and SHA256 are the possible values. The signature algorithm of an existing certificate cannot be changed, the certificate must be re-signed(GENCERT).  CA ACF2 can be used to create a certificate that is signed with SHA-256 which is one of the SHA-2 signing algorithms.  CA ACF2 support certificates from External CAs that use any of the SHA-2 signing algorithms(hash functions 224, 256, 384 or 512 bits). 

Example:

Using the TSO ACF GENCERT command to create a certificate with SHA256: 

ACF 

GENCERT CERTSHA2.CERT SUBJ(CN='MySHA2' -
OU='My Audit Department' O='Company Name' C=US) -
LABEL(SHA2 CA) HASHALG(SHA256) SIZE(2048) 

 CERTDATA / CERTSHA2.CERT LAST CHANGED BY USER002 ON 06/16/15-09:54          
            CERTNSER(0000000000000001) ISSUERDN(CN=MySHA2.OU=My Audit
            Department.O=Company Name.C=US) KEYSIZE(2,048)        
            LABEL(SHA2 CA) SERIAL#(00) SUBJDN(CN=MySHA2.OU=My Audit D
            epartment.O=Company Name.C=US) TRUST                     

 Certificate is not connected to any key rings                                

ACF                                                                       

chkcert CERTSHA2.CERT                                            

Label:                                                        
    SHA2 CA                                                    
Serial number:                                                
    00                                                        
Issuer's distinguished name:                                  
    CN=MySHA2                                                  
    OU=My Audit Department                                    
    O=Company Name                                            
    C=US                                                      
Subject's distinguished name:                                  
    CN=MySHA2                                                  
    OU=My Audit Department                                    
    O=Company Name                                            
    C=US                                                      
Not valid before:                                              
   2015/06/16  00:00:00 UTC                                  
Not valid after:                                              
    2016/06/16  23:59:59 UTC                                  
Private Key Type:                                              
    RSA                                                        
Private key bit size:                                          
    2048                                                      
Signature Algorithm:                                          
    sha256WithRSAEncryption                                    

This certificate is registered with CA ACF2                    

The CERTDATA record key is CERTSHA2.CERT        
 CERTDATA / CERTSHA2.CERT LAST CHANGED BY USER002 ON 06/16/15-09:54          
            CERTNSER(0000000000000001) ISSUERDN(CN=MySHA2.OU=My Audit
            Department.O=Company Name.C=US) KEYSIZE(2,048)        
            LABEL(SHA2 CA) SERIAL#(00) SUBJDN(CN=MySHA2.OU=My Audit D
            epartment.O=Company Name.C=US) TRUST