Is SHA-3 Supported?

Similar Messages

• Supported Certificate Thumbprint Algorithms

  I recently got this in an email from my cert issuer.
  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AD927&actp=LIST&viewlocale=en_US
  SHA-1 support is being phased out from Google Chrome and SHA-2 should be used.
  Upon investigating the matter, I found that "The only thumbprint algorithm currently supported is sha1".
  From here: http://msdn.microsoft.com/library/azure/gg465718.aspx
  This page leaves it ambiguous: http://azure.microsoft.com/en-us/documentation/articles/cloud-services-configure-ssl-certificate/
  Others have had success using SHA-2: http://stackoverflow.com/questions/22358406/can-azure-cloud-service-use-a-sha256-certificate
  Could someone clarify if it does indeed work and if it is or isn't supported.
  Thank you!

  Hi darielmarlow,
  Thanks for your post.
  As the article mentioned, "The only thumbprint algorithm currently supported is sha1. If you are not certain which thumbprint algorithm your certificate supports, you can use the certmgr.msc snap in with
  the Microsoft Management Console (MMC) to inspect the certificate."  Support or not support the thumbprint algorithm "sha-2" not decided by azure cloud service, it decided by the certificate you are used. If the certificate you want to
  upload to azure supports thumbprint algorithm "sha-2", then you can set it just fine:
  <Certificates>
  <Certificate name="cert" thumbprint="xxxxxxx" thumbprintAlgorithm="SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256" />
  </Certificates>
  And how to replace the sha-1 certificate with sha-2, you can refer to the introductions below:
  https://www.digicert.com/sha-2-ssl-certificates.htm
  Best Regards,
  Fuxiang
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a
  href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.

• Will Security Advisory 2949927 add SHA-2 to TMG?

  I know that this topic has been under discussion for many times, but i still want to keep up hope..
  Does anyone happen to know if Security Advisory 2949927 that brings SHA-2 support to underlaying OS of TMG, would also bring it to TMG? Since TMG is relying on OS schannel process..
  s
  Antti Laatikainen IT Security Manager Santen Europe

  Hi,
  I am sorry to say that there is no official documents that indicate SHA-2 is supported in TMG because of the availability of SHA-2 hashing algorithm for Windows Server 2008 R2 at present.
  Best regards,
  Susie

• Pam.conf does not use ldap for password length check when changing passwd

  I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
  I have dsee 6.0 installed on a solaris 10 server (client).
  I have a solaris 9 server (server) set up to use ldap authentication.
  bash-2.05# cat /var/ldap/ldap_client_file
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= X, Y
  NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= tls_profile
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_BIND_TIME= 10
  bash-2.05# cat /var/ldap/ldap_client_cred
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
  NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
  bash-2.05# cat /etc/nsswitch.conf
  # /etc/nsswitch.ldap:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # uses LDAP in conjunction with files.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  passwd: files ldap
  group: files ldap
  # consult /etc "files" only if ldap is down.
  hosts: files dns
  ipnodes: files
  # Uncomment the following line and comment out the above to resolve
  # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
  # IPv4 addresses are searched in all of the ipnodes databases before
  # searching the hosts databases. Before turning this option on, consult
  # the Network Administration Guide for more details on using IPv6.
  #ipnodes: ldap [NOTFOUND=return] files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: ldap
  automount: files ldap
  aliases: files ldap
  # for efficient getservbyname() avoid ldap
  services: files ldap
  sendmailvars: files
  printers: user files ldap
  auth_attr: files ldap
  prof_attr: files ldap
  project: files ldap
  bash-2.05# cat /etc/pam.conf
  #ident "@(#)pam.conf 1.20 02/01/23 SMI"
  # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1 debug
  login auth required pam_dhkeys.so.1 debug
  login auth required pam_dial_auth.so.1 debug
  login auth binding pam_unix_auth.so.1 server_policy debug
  login auth required pam_ldap.so.1 use_first_pass debug
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1 use_first_pass
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_auth.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1 use_first_pass
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authenctication
  other auth requisite pam_authtok_get.so.1 debug
  other auth required pam_dhkeys.so.1 debug
  other auth binding pam_unix_auth.so.1 server_policy debug
  other auth required pam_ldap.so.1 use_first_pass debug
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy debug
  passwd auth required pam_ldap.so.1 use_first_pass debug
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_projects.so.1
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1 debug
  other account required pam_projects.so.1 debug
  other account binding pam_unix_account.so.1 server_policy debug
  other account required pam_ldap.so.1 no_pass debug
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1 debug
  other password requisite pam_authtok_get.so.1 debug
  other password requisite pam_authtok_check.so.1 debug
  other password required pam_authtok_store.so.1 server_policy debug
  # Support for Kerberos V5 authentication (uncomment to use Kerberos)
  #rlogin auth optional pam_krb5.so.1 try_first_pass
  #login auth optional pam_krb5.so.1 try_first_pass
  #other auth optional pam_krb5.so.1 try_first_pass
  #cron account optional pam_krb5.so.1
  #other account optional pam_krb5.so.1
  #other session optional pam_krb5.so.1
  #other password optional pam_krb5.so.1 try_first_pass
  I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
  May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
  May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
  May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
  May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
  May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
  May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
  May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
  May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
  May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
  May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
  May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
  If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
  bash-2.05$ passwd
  passwd: Changing password for VV
  Enter existing login password:
  New Password:
  passwd: Password too short - must be at least 8 characters.
  Please try again
  May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
  May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
  May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
  May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
  May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
  May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
  May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
  I am using the default policy on the directory server which states a minimum password length of 6 characters.
  server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
  pwd-accept-hashed-pwd-enabled : N/A
  pwd-check-enabled : off
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 1d
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : off
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : off
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : disabled
  pwd-max-failure-count : 3
  pwd-max-history-count : disabled
  pwd-min-age : disabled
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : CRYPT
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : off
  pwd-strong-check-require-charset : lower
  pwd-strong-check-require-charset : upper
  pwd-strong-check-require-charset : digit
  pwd-strong-check-require-charset : special
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : off
  Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
  . It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
  I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
  Edited by: ericduggan on Sep 8, 2008 5:30 AM

  you can try passwd -r ldap for changing the ldap passwds...

• Signing a PDF document converts it to a higher PDF Version

  I am using Acrobate 9.3 Standard.  For my industry, we are required to keep our PDF files at Version 1.4 (Adobe 5.0).  However, when we digitally sign a document it forces a save and during that save process it converts the document to Version 1.6 (Adobe 7.0).  Down-converting back to 1.4 obviously invalidats the signature.
  If there a way to force the digital signature signing save to keep the document at Version 1.4?
  Thanks,
  Muiron

  The short answer is no.
  In the Acrobat 5 (PDF 1.4) timeframe all you could do was create a digital signature using an Acrobat generated self-signed certificate. A5 had no concept of certificate chaining or revocation checking, which was introduced in A6 (PDF 1.5). Version 7 introduced time stamping, SHA-256 support, and OCSP revocation checking, and that's the current minimum.The older PDF standards (1.5 and earlier) don't support a signature created in A9.
  Steve

• About hash with MessageDigest

  Hi, I have troubles when I using MessageDigest to get hash.
  I use JCDK3.0.3_ClassicEdition_RR and jdk1.5
  here's part of my code:
  private void getDigest(byte[] buffer)
            if (hashArray == null)
                 hashArray = JCSystem.makeTransientByteArray((short)20, JCSystem.CLEAR_ON_DESELECT);
            MessageDigest alg = MessageDigest.getInstance(MessageDigest.ALG_SHA,true);
            //alg.doFinal(buffer, (short)5, (short)8, hashArray, (short)0);
            //return alg.getLength();
  It returns 6f 00
  If I annotate the line of MessageDigest.getInstance, the applet runs well. So I think MessageDigest.getInstance causes the trouble.
  Please help me! Or tell me how to get hash of message. thx!

  6f00 means there is unhandled exception in your code. Use try/catch statements to handle it and found the reason. Similar to that:
  try{
  MessageDigest alg = MessageDigest.getInstance(MessageDigest.ALG_SHA,true);
  catch(CryptoException e)
  if ( e.GetReason() == CryptoException.NO_SUCH_ALGORITHM )
  ISOException.throwIt( something );
  }according to java card specifiation NO_SUCH_ALGORITHM is the only exception for MessageDigest.getInstance. The reasons are "if the requested algorithm or shared access mode is not supported.". So, check that SHA is supported by tools/cards that you use, try to set externalAccess flag to false.

• DS 6.2 and password expiration

  Hello,
  I'm having problems enforcing password expiration with DSEE. We have two Solaris 10 DSEE 6.2 servers configured with multi-master replication. The clients are running Solaris 8 (117350-47 Jun 2007 kernel patch level), and are using pam_ldap authentication.
  Using either telnet (just as a test) or ssh to login, I don't receive warnings of password expiration, nor is the account locked after passwordExpirationTime is exceeded.
  As an example, I can still authenticate as a user with this passwordExpirationTime:
  passwordExpirationTime=20071123163438Z
  The following is our DSEE password policy:
  pwd-accept-hashed-pwd-enabled : off
  pwd-check-enabled : on
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 4w
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : on
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : on
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : 12w6d
  pwd-max-failure-count : 4
  pwd-max-history-count : 3
  pwd-min-age : 1w
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : SSHA
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : on
  pwd-strong-check-require-charset : any-three
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : on
  Am I missing something obvious in the DSEE password policy? Would any other information be helpful in troubleshooting, such as /etc/pam.conf, patch levels of other packages, etc.?
  Thanks!

  If your DS6 instance is in DS5-compatible-mode (see above references), passwordExpirationTime is not ignored; however, please note that modifying server operational attributes via protocol has never been supported.
  A supported way to force a user to change his or her password (without administratively resetting the password) would be to define a specialized password policy with a small max-age value (but maintaining the relationship pwdMinAge+pwdExpireWarning<pwdMaxAge), and use Roles/CoS to scope the policy to the user entry that requires a password change, but for which the password has not yet been changed. A value of pwdChangedTime in the past (or its absence from the entry) would indicate that the password had not yet been changed as requested. If the DS6 instance is in DS5-compatible-mode, you will need to enable grace logins via passwordWarning in the policy, while if the DS6 instance is in DS6-migration-mode or DS6-mode, you will also need to enable grace logins via pwdGraceAuthNLimit in the policy. Otherwise, the user cannot bind with an expired password.
  OpenDS includes a "must-change-by" feature in the password policy that simplifies configuring the specialized password policy, but I'm not aware of any plans to add this feature to DS6.

• How to enable SHA-2 hashing algorithm support on windows 7

  Hello All,
  Please suggest how to invalidate SHA-1 and MD5 algorithm on windows 7 and how to enable SHA-2.
  As suggested by Microsoft, regarding the availability of SHA-2 hashing algorithm, security update KB2949927 is installed on windows 7.
  Thank You

  Hi,
  Please check if you have installed the below mentioned update:
  http://support.microsoft.com/kb/2973337/en-us
  After installing this update, SHA512 is enabled for TLSv1.2.
  IE shall also be using TLS internally. Hope that should resolve your problem.
  Please refer to the below link for a similar discussion and its solution posted there:
  https://social.technet.microsoft.com/Forums/office/en-US/857c6804-8ce1-4f09-b657-00554055da16/tls-12-and-sha512?forum=winserversecurity
  (Please mark as answer if it resolves your issue. Please upvote if it is helpful.)
  Regards,
  Rajesh

• What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH)

  Hi,
  I just want to know,
  What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH).
  if support already,
  how can i setting.
  plz.  help me!!! 

  The following blog states that SQL Server "leverages the SChannel layer (the SSL/TLS layer provided
  by Windows) for facilitating encryption.  Furthermore, SQL Server will completely rely upon SChannel to determine the best encryption cipher suite to use." meaning that the version of SQL Server you are running has no bearing on which
  encryption method is used to encrypt connections between SQL Server and clients.
  http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx
  So the question then becomes which versions of Windows Server support TLS 1.2.  The following article indicates that Windows Server 2008 R2 and beyond support TLS 1.2.
  http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
  So if you are running SQL Server on Windows Server 2008 R2 or later you should be able to enable TLS 1.2 and install a TLS 1.2 certificate.  By following the instructions in the following article you should then be able to enable TLS 1.2 encryption
  for connections between SQL Server and your clients:
  http://support.microsoft.com/kb/316898
  I hope that helps.

• Support of SHA-2 256 in Windows Embedded Standard 7 SP1

  Is there support for SHA-2 256 in Windows Embedded Standard 7 SP1 OS?
  If so, is there any possibility of setting it through registry settings?

  According to this blog:
  http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx Windows 7 (also WES7) supports SHA2.
  www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

• Three tier PKI - support both SHA-1 and SHA-2

  Hey guys,
  We're about to implement a new three tier PKI - root, intermediate and Issuing CA's... is it possible to have the root and intermediate configured as SHA-1, and have multiple Issuing CA's - some SHA-1 and some SHA-2, or do the SHA-2 Issuing CA's need to
  be signed by SHA-2 certificate chain?
  Thanks in advance

  I agree with Vadims - if you can start from scratch now I would recommend setting up different hierarchies with consistent algorithms.
  The mixed scenario you propose would be sort of trade-off for existing PKIs - I had related discussions with some clients of mine:
  If you have to meet SHA-2 as per compliance / security guidelines but your Root CA processes are complicated, expensive, you use HSMs at the Root level (but there is no budget / time to install another one) etc., then adding a SHA-2-capable issuing CA to
  an existing hierarchy is a first step and might meet your different requirements.
  Then you can start moving over all existing templates (and related apps.) to the new CA. If you are 100% sure that all your apps would support SHA-2 you could probably "upgrade" the Root CA by renewing it with a modified hash algorithm.
  But you never know if you will have to support another PKI-enabled application or device in the future (some embedded system for example) that does not understand SHA-2 so you might want to keep the alternative SHA-1 hierarchy.

• Do Mountain Lion and Safari 6.2.2 support SHA-256 Hash algorithms in HTTPS security certificates?

  I use SalesForce for my client CRM. I've just received a notice informing me that they are upgrading from SHA-1 hash to SHA-256 for increased HTTPS certificate security. Will my current OS X version (Mountain Lion) and Safari version (6.2.2) support this upgrade?

  NEVERMIND! SalesForce provided a test page and I was able to determine that both my Mac and Windows environments and browsers support the upgrade.

• What changes are needed to have iDS 5.1 support SHA instead of SSHA as the default ?

  We have an application that ONLY supports SHA passwords
  and when we upgraded from iDS 4.16 to iDS 5.1 it doesnt
  work any more. Looking further, iDS 4.16 supported SHA
  as the default for password storage and iDS 5.1 supports the more secure SSHA as its default.
  Is there a way that we can specify what accounts use
  SHA versus SSHA ? If not, how do you configure iDS 5.1
  to support SHA as its default ?

  Hello, I read your response and I have a slightly different problem. I have set up a LDAP on Iplanet 5.1 and imported users from our old 4.x directory. When I did this everyone was added with their existing SHA hashed password.
  Now any new users that we have been adding have been loaded to the directory whit an SSHA hased password. This has caused a problem with some of our applications that require an SHA hashed password.
  I know where I can reset the default password hashing for the LDAP, but is there a way I can convert the passwords for the few hundred users that we entered before figuring this out from the SSHA hashed password to the SHA hashed password? I tried to do this via an LDIF import and when the LDIF file contained a userpassword value that began with {SSHA}, that is the way it was imported.
  Is there a way to have the IPlanet LDAP do this? Or write a simple program to do this? We don't want to have each one of these users have to enter a new password and then have the LDAP server encrypt it, we would rather just take the existing SSHA hashed password and convert it to an SHA hashed password. Is this possible?
  Any help would be greatly appreciated.
  Thanks

• SHA-2 Algorithm Support

  We are building a Windows PKI based upon SHA-2 algorithms. I can't find definitively whether iPads (and iPhones) will support certificates signed by SHA-256. We'd need the iPads to be able to verify and validate the ceritifate chain, and also be able to use a certificate based upon SHA-256 for authentication purposes (wireless networks).

  I can't say definitively that iOS will support custom certificates with SHA-256 encryption, but iOS does include a certificate with SHA-256 encryption as part of the base set:
  http://support.apple.com/kb/HT3580
  so it would seen possible, at least. You can find some information on certificates in the Enterprise Deployment Guide:
  http://manuals.info.apple.com/enUS/Enterprise_DeploymentGuide.pdf
  Hope this helps.

• SHA Message Digest Algo not supported by IBM JDK

  Hi,
  When I run an application with IBM's JDK, am getting the following exception:
  "java.lang.SecurityException: SHA MessageDigest not available"
  Any idea on how to create support for this Message Digest algo? One way is to use provider, I guess. But I don't know how to use a provider & where to get it from. Any suggestions/thoughts?
  Regards,
  GSP

  In my code, a class extends java.rmi.server.UnicastRemoteObject. & the exception occurs when this class is run with IBM JDK. The stack trace is:
  java.lang.SecurityException: SHA MessageDigest not available
  at sun.rmi.server.Util.computeMethodHash(Util.java:378)
  at sun.rmi.server.UnicastServerRef$HashToMethod_Maps.createMap(UnicastServerRef.java:544)
  at sun.rmi.server.WeakClassHashMap.getMap(WeakClassHashMap.java:71)
  at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:196)
  at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:306)
  at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:248)
  at java.rmi.server.UnicastRemoteObject.<init>(UnicastRemoteObject.java:146)
  at java.rmi.server.UnicastRemoteObject.<init>(UnicastRemoteObject.java:132)
  at Engine.<init>(Unknown Source)
  where Engine is the class that extends UnicastRemoteObject.