Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EJBCA 6.10.0.2
-
Fix Version/s: EJBCA 6.11.0
-
Component/s: PKI core
-
Labels:None
-
Issue discovered during:Community
-
Sprint:EJBCA Sprint 4
Description
Currently, the default signature algorithm when creating a new OCSP key binding is SHA1WithRSA or SHA1withECDSA.
According to recommendations (European eIDAS, French RGS, USA NIST), the hash function must have a fingerprint length of 256 bits or more.
Actions:
- Change default OCSP signature algorithms to SHA256WithRSA and SHA256withECDSA
Note:
- Keep SHA1WithDSA for DSA algorithm