Why does a TSS GENREQ command generate an SHA1 digital certificate?

Document ID : KB000032858
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

When I execute a TSS GENCERT command with SIGNALG(SHA256) to get an SHA256 certificate. A list shows that it is OK: ALGORITHM = sha256WithRSAEncryption    
When I execute a TSS GENREQ command to produce a file to be signed, the certificate in the file is an SHA1 certificate.
Why isn't it an SHA256 digital certificate?  
               

 

Answer: 

 

 

At present, when we do a TSS GENREQ command, the request PK10 that is produced will be SHA1 even if the CERT was SHA256.
 
 
This should not be a problem since the signer will replace the signature later.
 
 
That is the one that will be used once the certificate is added back in to CA Top Secret.                          

 

Additional Information:

 

To rework this logic, so that when you issue the TSS GENREQ command, the PKCS#10 certificate request produced will have the SHA256 signing algorithm if the digital certificate had an SHA256 signing algorithm, is considered an enhancement request.

 

To create a new Idea on the CA Mainframe Security community wall, do what follows:

 

1. Log in to communities.ca.com                                              

2. From your "CA Mainframe Security" community, select "Content" then "Ideas"

3. On the left, under "ACTIONS", click "Create an Idea".                     

4. Complete the fields on the idea form.                                     

5. Click Publish.