Signature algorithm SHA256
NFE requires that CSR have the SHA256 algorithm instead of the usual SHA1... We generate key pair in the NWA key storage with 2048 RSA.. Unfortunately the signature algorithm on the key pair is SHA1 and not SHA256 as requested by government. As a result our CSR is rejected.
Is there any way to generate the key pair with signature algorithm SHA256 from Keystorage view (in NWA) or how do we go about generating one?
Can elaborate more on using -a with that option? The only ones published are RSA (default) and DSA and when I tried explicitly what you wrote it was an invalid option.
We had a situation where we requested our cert from the authority like we normally do with sapgenpse get_pse -p SAPSSLS.pse -r <certeq_name.req>-s 2048 "xxx.xxx.xxx, C=US"
We would get the response back and import it with
sapgenpse import_own_cert -c <cert file.crt> -r <intermed.crt> -r <root.crt> -p SAPSSLS.pse -x <pin>
This time the cert request came back from our authority as G2 (SHA-2). The import failed with an FCPath error, but when l looked at the subject, all the variables were in fact in the certificate chain. The one thing that was odd was that the "C" variable in the error was in quotes (e.g. "company name, inc.") instead of C=comany name, inc.
I asked the authority admin to reprocess my request as SHA-1. He sent me a response and bundle of root+intermediate. Ran the same command, and the SSL cert imported without incident.
Do we need to specify something in the initial request (sapgenpse get_pse...) to insure we get use an SHA-2 cert? Or is there another reason my SHA-1 cert imported when the SHA-2 one gave the FCPath error?
Similar Messages
-
I have just built a new PKI infrastructure for issuing SHA2 certificates. When I duplicate a template and set it up to use KSP instead of CSP to enable SHA2 signing, the only provider I have available is the Microsoft Software Key Storage Provider which
translates into RSASSA-PSS. I am also allowing the Private Key to be exported due to the fact that the cert and Key need to be placed on multiple servers such as in a cluster.
I am finding that FireFox does not support certificates which use RSASSA-PSS and have tracked it to a few Bugzilla reports. IE and Chrome appear to not have any problem with this.
I want to change the provider to something that FireFox supports while still being able to issue SHA2 certs. I am finding that if I unmark the "Allow Key to be Exported" on the template when I build the it, other options for providers appear.
I need to be able to support the big 3 browsers: IE, Firefox, and Chrome while still allowing the key to be exported. I used AlternateSignatureAlgorithms=1 for the capolicy.inf file on both the offline root and Intermediate CA's. I read a post somewhere
that changing the Root to AlternateSignatureAlgorithms=0 and renewing the Intermediate CA certificate could solve the problem but I do not understand how I can obtain a HSA2 certificate for the Intermediate if that is not enabled.
I could use some assistance with this if someone knows how to make this work. Many thanks.
Brian B.Brian,
There is no correlation at all between the
AlternateSignatureAlgorithms=1 or 0 line and the use of SHA256. In my book, it is recommended when you get into the weirder combinations (Elliptical curve versions, etc.)
If you do as you plan (using AlternateSignatureAlgorithms=0),
then the CA certificates will show Sha256RSA as the signature algorithm, and be universally accepted.
As you stated...
1) Change the capolicy.inf on the root CA and renew the root CA certificate.
2) Change the CAPolicy.inf on the issuing CA and renew the issuing CA certificate
Now start issuing the KSP certificates, they will be usable on Firefox
Brian -
RSASSA-PSS certificate signature algorithm support
Hi,
does anyone know if the certificate signature algorithm RSASSA-PSS is supported by Mac OS X?
Currently I have an issue with integrating Mac OS X in SCCM due to an certificate error - bad certificate format!
THanks!Brian,
There is no correlation at all between the
AlternateSignatureAlgorithms=1 or 0 line and the use of SHA256. In my book, it is recommended when you get into the weirder combinations (Elliptical curve versions, etc.)
If you do as you plan (using AlternateSignatureAlgorithms=0),
then the CA certificates will show Sha256RSA as the signature algorithm, and be universally accepted.
As you stated...
1) Change the capolicy.inf on the root CA and renew the root CA certificate.
2) Change the CAPolicy.inf on the issuing CA and renew the issuing CA certificate
Now start issuing the KSP certificates, they will be usable on Firefox
Brian -
What is the complexity of "Elliptic curve Pinstov Vanstone signature" algorithm?
what is the complexity of "Elliptic curve Pinstov Vanstone signature" algorithm?
Why do you ask? And why do you ask us?
-
Help!!input pfx,p12 to jks keystore get error "Signature Algorithm mismach"
The following is the question that I met ~ Who can help me to solve the problem?
use j2sdk1.4.02
I'm tring to use keytool to input my company's pfx file to jks format keystore ,
and I'm getting keytool error "Signature Algorithm mismatch" .
I also tried to import the pfx file to Netscape and export to p12 format ,
and still got error "Signature Algorithm mismatch".
When I using following command ..
keytool -list -keystore xxx.p12 -storetype PKCS12
It still throws keytool error "Signature Algorithm mismatch".
And I checked the pfx(p12) file with IE , the Signature Algorithm Name is RSA.
What problem whith the p12 file?
Is keytool can't support RSA Signature Algorithm, or anything else??
Finally,maybe all the problems are that I have wrong idea, and hope someone can instruct me.
Thanks for help..(I'm looking for this question several days.)
Vincent ...(from Taiwan)I'd just purchase and use KeyStore Explorer. $30 for single-user.
It easily converts between pkcs12 and jks formats. I had no problems generating keys/certs in this tool and exporting them to JKS keystores for use with Java as well as into OpenSSL for use with Apache, etc. -
Unable to calculate a request signature: Algorithm HmacSHA1 not available
I develop one javaFx application.
which upload the files on amazon s3 server.
The application work fine when the executable jar of the application is made.
But when the native packaging of the application is done. The .msi file is created and after installing this .msi the application started correctly but at the time of uploading file on s3 the "Unable to calculate a request signature: Algorithm HmacSHA1 not available" error occur in log file and files are not uploaded.
The creation of the jar and native application is done by the com.zenjava maven plugin.Got the solution.After creating native bundle the bundle have its own private copy of jre this private jre does not contain "ext" folder which is present in regular jre.
This causes the problem of cryptography which is the reason for above problem. -
We have a Certificate Authority (Version: 5.2.3790.3959) configured on Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
Currently i am only able to generate SSL cert with md5RSA.Hi,
Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
Therefore, you need to build a new CA to use a new algorithm.
More information for you:
Is it possible to change the hash algorithm when I renew the Root CA
http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
Changing public key algorithm of a CA certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
modify CA configuration after Migration
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
Best Regards,
Amy Wang -
Set Signature Algorithm to SHA-256 in CSR
running 8.4(5) on ASA5550
im trying to renew the certificate for webvpn, however we have a new requirement that the signature Algorithm should be SHA-256 but when i create the new RSA keys and enroll the trust-point to generate the CSR, i cant find where to change the signature Algorithm and it show
"Signature Algorithm: SHA1 with RSA Encryption"
any advice..You can't change that on the ASA . Check with your CA the one who is signing the request for you .
Moh. -
MD2 signature algorithm on CSS
Hello,
Is the MD2 signature algorithm supported on a CSS?
Thanks for a response.
Kind regards,
KurtI am not sure why you are using MD2. MD2 is an old hashing algorithm and may be very weak compared to MD5, which is very widely used. I strongly suggest you to upgrade to MD5.
-
Issuing CA's signature algorithm changed from sha1RSA to RSASSA-PSS
Hi all,
We found the root cause of why one of our Issuing CA's all of a sudden started issuing certs with a signature algorithm of RSASSA-PSS instead of sha1RSA (the signature algorithm it was originally set up to use). Turns out one of our techs ran the following
command a few months ago on the Issuing CA while trying to get it to issue a custom Polycom device cert:
Certutil -setreg CA\csp\AlternateSignatureAlgorithm 1
After that, the Issuing CA started kicking out certs with RSASSA-PSS as the signature algorithm. I imagine the fix to get this Issuing CA back to using sha1RSA as the signature algorithm is to set that reg entry to 0 or just delete it altogether.
However, my question is, what about all the certs this Issuing CA has issued
since the signature algorithm changed? If I change it back to sha1RSA, will that somehow invalidate or cause an issue with all of the certs issued with RSASSA-PSS? That could be an issue since this CA has issued many many certs to
laptops for NPS 802.1x auth!
Any help is appreciated!
BDHi,
changing the CA signature algorithm will not invalid the existing certificates. They just stay as they are. That's why you haven't experienced any issues as your your tech made the change for RSASSA-PSS.
@moderator: Please move this post to Windows Security forum - http://social.technet.microsoft.com/Forums/en-US/winserversecurity
Hope that helps,
Lutz -
Cipher vs signature algorithm?
Hello,
What is the difference between a chipher and a signature algorithm? How can SunJSSE provider have an implementation of SHA1withRSA signature algorithm but not have an implementation of RSA cipher? Don't you need to have the cipher to do the signature?
Thanks for any insights.Hi!
I'd like to get the same result when I use the Cipher class or when I use the Signature class.
If I use the code below I get different results. Am I doing something wrong? How can I get the same result using these two classes?
Thank you.
//Encryption by the Cipher Class
byte input[]="hello".getBytes();
MessageDigest md = MessageDigest.getInstance("SHA1");
md.update(input);
byte digest[] = md.digest();
Cipher rsaCipher = Cipher.getInstance("RSA");
rsaCipher.init(Cipher.ENCRYPT_MODE, privateKey);
byte[] encryptedData = rsaCipher.doFinal(digest);
System.out.println("textEncrypted="+Base64Utils.base64Encode(encryptedData));
//Encryption by the Signature Class
Signature signatureAlgorithm = Signature.getInstance("SHA1withRSA");
signatureAlgorithm.initSign(privateKey);
signatureAlgorithm.update(input);
encryptedData = signatureAlgorithm.sign();
System.out.println("textEncrypted2="+Base64Utils.base64Encode(encryptedData)); -
Example provided is on 1941 ISR routers with 15.2(2)T1 software. One router has 15.3(1)T.
IKEv2 with pre-shared key comes up fine.
IKEv2 with certificates gives auth exchange fail error
IKEv1 with same certificates comes up fine.
The above were Microsoft CA certificates.
I tried with IOS CA certificates, still auth exchange fail error.
Same results with 3945 and 2911 routers on IOS 15.1(2)TThis is details of how I got it working.
sho tech ipsec
------------------ show version ------------------
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 29-Feb-12 20:40 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
happy uptime is 30 minutes
System returned to ROM by power-on
System restarted at 20:26:58 UTC Fri Mar 1 2013
System image file is "flash0:c2900-universalk9-mz.SPA.152-2.T1.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO2911/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FTX1621AJFU
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO2911/K9 FTX1621AJFU
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc None None None
data None None None
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration : 6483 bytes
! Last configuration change at 20:56:07 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname happy
boot-start-marker
boot-end-marker
security passwords min-length 6
logging buffered 51200 warnings
no logging console
enable secret 4 4Q5iiIH2YznVeGHA3p6Qjm8oBj4LWNDTHjsG21MxgXU
no aaa new-model
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip domain name csfc.com
ip name-server 192.168.1.3
no ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint dc-ca
enrollment terminal
subject-name cn=happy.csfc,c=us
revocation-check none
crypto pki certificate map CRT 10
issuer-name co csfc
crypto pki certificate chain dc-ca
certificate 3F51979A000000000012
3082038E 30820333 A0030201 02020A3F 51979A00 00000000 12300A06 082A8648
CE3D0403 02303B31 13301106 0A099226 8993F22C 64011916 03636F6D 31143012
060A0992 268993F2 2C640119 16046373 6663310E 300C0603 55040313 0564632D
6361301E 170D3133 30333031 31383532 35365A17 0D313530 33303131 38353235
365A3022 310B3009 06035504 06130275 73311330 11060355 0403130A 68617070
792E6373 66633059 30130607 2A8648CE 3D020106 082A8648 CE3D0301 07034200
0429D4D8 F89E295B F7AF826F 86A3F29D EF48FCFF D2374B0F D39CD393 620D3EFD
D484BFA4 3ED08E16 7FDF839D 0FF85690 26C0545C 1B56EC17 7A2E6C1D 5D1A6CD8
DDA38202 36308202 32300B06 03551D0F 04040302 06C0301D 0603551D 0E041604
142DCC8D 554A4853 C4C03B3D 2400E3EA 459406B5 AE301F06 03551D23 04183016
80142389 F56583FC B73D3F11 79A47EAB 96721E76 81AA3081 BB060355 1D1F0481
B33081B0 3081ADA0 81AAA081 A78681A4 6C646170 3A2F2F2F 434E3D64 632D6361
2C434E3D 44432C43 4E3D4344 502C434E 3D507562 6C696325 32304B65 79253230
53657276 69636573 2C434E3D 53657276 69636573 2C434E3D 436F6E66 69677572
6174696F 6E2C4443 3D637366 632C4443 3D636F6D 3F636572 74696669 63617465
5265766F 63617469 6F6E4C69 73743F62 6173653F 6F626A65 6374436C 6173733D
63524C44 69737472 69627574 696F6E50 6F696E74 3081B406 082B0601 05050701
010481A7 3081A430 81A10608 2B060105 05073002 8681946C 6461703A 2F2F2F43
4E3D6463 2D63612C 434E3D41 49412C43 4E3D5075 626C6963 2532304B 65792532
30536572 76696365 732C434E 3D536572 76696365 732C434E 3D436F6E 66696775
72617469 6F6E2C44 433D6373 66632C44 433D636F 6D3F6341 43657274 69666963
6174653F 62617365 3F6F626A 65637443 6C617373 3D636572 74696669 63617469
6F6E4175 74686F72 69747930 3C06092B 06010401 82371507 042F302D 06252B06
01040182 37150881 98D47A81 B6D74A87 A98B18DF C60887B8 D4794787 BCE00C86
9D892C02 01640201 11301306 03551D25 040C300A 06082B06 01050508 0202301B
06092B06 01040182 37150A04 0E300C30 0A06082B 06010505 08020230 0A06082A
8648CE3D 04030203 49003046 022100E7 E5814B90 CE6EABE2 B12C818A 6323160D
632C0551 B765DA29 0CA4BAAC 27325F02 2100E516 11985F3E CDB23FE7 BB91C836
74C457BB 5EA87ED6 3D9DCF41 AE4CDD40 A28F
quit
certificate ca 2C8A76A7904BB4B341B3AAFA9ED387D3
308201DC 30820183 A0030201 0202102C 8A76A790 4BB4B341 B3AAFA9E D387D330
0A06082A 8648CE3D 04030230 3B311330 11060A09 92268993 F22C6401 19160363
6F6D3114 3012060A 09922689 93F22C64 01191604 63736663 310E300C 06035504
03130564 632D6361 301E170D 31333031 32333135 32383435 5A170D31 38303132
33313533 3834345A 303B3113 3011060A 09922689 93F22C64 01191603 636F6D31
14301206 0A099226 8993F22C 64011916 04637366 63310E30 0C060355 04031305
64632D63 61305930 1306072A 8648CE3D 02010608 2A8648CE 3D030107 03420004
EFA5B6B5 BC89C22A B91DDDBB 60034DB9 21655D71 3965177D 9D5956D0 8C45ABC9
38EB4175 44AA06DC 19B94DAB 368AC06C 35077B97 24BE5879 758256FA 03838F2F
A3693067 30130609 2B060104 01823714 0204061E 04004300 41300E06 03551D0F
0101FF04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 142389F5 6583FCB7 3D3F1179 A47EAB96 721E7681 AA301006 092B0601
04018237 15010403 02010030 0A06082A 8648CE3D 04030203 47003044 022010BD
C2ADC8B7 C2C05DB2 CFE2E78A B3A47E2E 8A3193CA 607E4AE3 EEF105F0 42CE0220
056C951C 45ECD966 DFA9BADB 9F1CC71E 8F029C12 F94593A6 21B50A49 C1E62581
quit
license udi pid CISCO2911/K9 sn FTX1621AJFU
username csfc privilege 15 secret 4
username admin privilege 15 secret 4
username Happy privilege 15 secret 4
redundancy
crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 policy policy1
proposal prop-1
crypto ikev2 profile default
match certificate CRT
identity local dn
authentication local ecdsa-sig
authentication remote rsa-sig
authentication remote ecdsa-sig
pki trustpoint dc-ca
no crypto ikev2 diagnose error
no crypto ikev2 http-url cert
crypto ikev2 certificate-cache 750
crypto ikev2 fragmentation mtu 1400
crypto logging ikev2
crypto ipsec transform-set SEC esp-aes esp-sha256-hmac
crypto ipsec profile default
set transform-set SEC
set ikev2-profile default
interface Tunnel0
no ip address
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination 192.168.11.42
tunnel protection ipsec profile default
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.40 255.255.255.0
duplex full
speed auto
interface GigabitEthernet0/1
ip address 192.168.11.41 255.255.255.252
duplex full
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 192.168.2.0 255.255.255.0 Tunnel1
no cdp advertise-v2
control-plane
banner login ^CCPLEEEESE!^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
sntp server 192.168.1.3 version 3
end
------------------ show crypto tech-support ------------------
------------------ show crypto isakmp sa count ------------------
Active ISAKMP SA's: 0
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0
------------------ show crypto ipsec sa count ------------------
IPsec SA total: 2, active: 2, rekeying: 0, unused: 0, invalid: 0
------------------ show crypto isakmp sa detail ------------------
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
IPv6 Crypto ISAKMP SA
------------------ show crypto ipsec sa detail ------------------
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.11.41
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.11.41/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.11.42/255.255.255.255/47/0)
current_peer 192.168.11.42 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
#pkts decaps: 275, #pkts decrypt: 275, #pkts verify: 275
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 192.168.11.41, remote crypto endpt.: 192.168.11.42
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x1DF8CFFA(502845434)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBF473CF2(3209116914)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4181836/3479)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1DF8CFFA(502845434)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4181837/3479)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
------------------ show crypto session summary ------------------
------------------ show crypto session detail ------------------
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel1
Uptime: 00:02:00
Session status: UP-ACTIVE
Peer: 192.168.11.42 port 500 fvrf: (none) ivrf: (none)
Phase1_id: cn=grumpy.csfc,c=us
Desc: (none)
IKEv2 SA: local 192.168.11.41/500 remote 192.168.11.42/500 Active
Capabilities:(none) connid:3 lifetime:23:58:00
IPSEC FLOW: permit 47 host 192.168.11.41 host 192.168.11.42
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 275 drop 0 life (KB/Sec) 4181836/3479
Outbound: #pkts enc'ed 271 drop 0 life (KB/Sec) 4181837/3479
------------------ show crypto isakmp peers ------------------
------------------ show crypto ruleset detail ------------------
Mtree:
199 VRF 0 11 192.168.11.41/500 ANY Forward, Forward
299 VRF 0 11 192.168.11.41/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
6553700000000000101 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Encrypt
6553700000000000199 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Discard/notify
------------------ show processes memory | include Crypto IKMP ------------------
260 0 5432 880 18424 3 3 Crypto IKMP
------------------ show processes cpu | include Crypto IKMP ------------------
260 0 6 0 0.00% 0.00% 0.00% 0 Crypto IKMP
------------------ show crypto eli ------------------
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 0 active, 3200 max, 0 failed
------------------ show cry engine accelerator statistic ------------------
Device: Onboard VPN
Location: Onboard: 0
:Statistics for encryption device since the last clear
of counters 1826 seconds ago
0 packets in 0 packets out
0 bytes in 0 bytes out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 0 packets encrypted
0 bytes before decrypt 0 bytes encrypted
0 bytes decrypted 0 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
Last 5 minutes:
0 packets in 0 packets out
0 paks/sec in 0 paks/sec out
0 bits/sec in 0 bits/sec out
0 bytes decrypted 0 bytes encrypted
0 Kbits/sec decrypted 0 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall
------------------ show cry isakmp diagnose error ------------------
Exit Path Table - status: disable, current entry 0, deleted 0, max allow 10
------------------ show cry isakmp diagnose error count ------------------
Exit Trace counters
------------------ show crypto call admission statistics ------------------
Crypto Call Admission Control Statistics
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 0 active: 0 negotiating: 0
Incoming IKE Requests: 0 accepted: 0 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0
Max IPSEC SAs: 0
Total IPSEC SA Count: 0 active: 0 negotiating: 0
Incoming IPSEC Requests: 0 accepted: 0 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0
Phase1.5 SAs under negotiation: 0
sho ip int bri
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 192.168.1.40 YES NVRAM up up
GigabitEthernet0/1 192.168.11.41 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
Tunnel0 unassigned YES unset up down
Tunnel1 192.168.100.1 YES NVRAM up up
happy#
happy#sho crypto pki cert verb
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3F51979A000000000012
Certificate Usage: Signature
Issuer:
cn=dc-ca
dc=csfc
dc=com
Subject:
Name: happy.csfc
cn=happy.csfc
c=us
CRL Distribution Points:
ldap:///CN=dc-ca,CN=DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=csfc,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 18:52:56 UTC Mar 1 2013
end date: 18:52:56 UTC Mar 1 2015
Subject Key Info:
Public Key Algorithm: rsaEncryption
EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: BF234623 9E7F2C73 EBE07B0A 9E89FC76
Fingerprint SHA1: DB8A8D50 23D9E2DD AC2ED2DC 5A857569 279F44D5
X509v3 extensions:
X509v3 Key Usage: C0000000
Digital Signature
Non Repudiation
X509v3 Subject Key ID: 2DCC8D55 4A4853C4 C03B3D24 00E3EA45 9406B5AE
X509v3 Authority Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
Authority Info Access:
Extended Key Usage:
1.3.6.1.5.5.8.2.2
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#12.cer
Key Label: happy.csfc.com
Key storage device: private config
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 2C8A76A7904BB4B341B3AAFA9ED387D3
Certificate Usage: Signature
Issuer:
cn=dc-ca
dc=csfc
dc=com
Subject:
cn=dc-ca
dc=csfc
dc=com
Validity Date:
start date: 15:28:45 UTC Jan 23 2013
end date: 15:38:44 UTC Jan 23 2018
--More-- Subject Key Info:
Public Key Algorithm: rsaEncryption
EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: 1F937411 4DB57036 73D54124 E50E83FC
Fingerprint SHA1: E78FE0BF DF5F168A 67860C48 78EC427C 66FE551A
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#87D3CA.cer
happy#sho crypt key mypubkey all
% Key pair was generated at: 18:44:07 UTC Mar 1 2013
Key name: eckey
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 4200049A 28E9709A
2F81DEE9 9ED27787 B790D3B4 487B3F2D DBA06E95 43298A54 19A3B0B7 E9107223
5CB9F3CD 9D8BD0E9 9AB9FFC4 698C1912 CBADC469 9E7CD6D3 46E5A2
% Key pair was generated at: 18:49:21 UTC Mar 1 2013
Key name: happy.csfc.com
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 42000429 D4D8F89E
295BF7AF 826F86A3 F29DEF48 FCFFD237 4B0FD39C D393620D 3EFDD484 BFA43ED0
8E167FDF 839D0FF8 569026C0 545C1B56 EC177A2E 6C1D5D1A 6CD8DD
happy# sho crypto ike2 v2 session detail
IPv4 Crypto IKEv2 Session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.11.41/500 192.168.11.42/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
Life/Active Time: 86400/339 sec
CE id: 1084, Session-id: 1
Status Description: Negotiation done
Local spi: 239BE9D173BFD509 Remote spi: C7A295975E26147B
Local id: cn=happy.csfc,c=us
Remote id: cn=grumpy.csfc,c=us
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Child sa: local selector 192.168.11.41/0 - 192.168.11.41/65535
remote selector 192.168.11.42/0 - 192.168.11.42/65535
ESP spi in/out: 0xBF473CF2/0x1DF8CFFA
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 128, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
IPv6 Crypto IKEv2 Session
happy#sho crypto ikev2 session sa detail
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.11.41/500 192.168.11.42/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
Life/Active Time: 86400/386 sec
CE id: 1084, Session-id: 1
Status Description: Negotiation done
Local spi: 239BE9D173BFD509 Remote spi: C7A295975E26147B
Local id: cn=happy.csfc,c=us
Remote id: cn=grumpy.csfc,c=us
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
IPv6 Crypto IKEv2 SA
happy#sho crypto ikev2 sa detail stats
Crypto IKEv2 SA Statistics
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego: 1000
Total IKEv2 SA Count: 1 active: 1 negotiating: 0
Incoming IKEv2 Requests: 34 accepted: 34 rejected: 0
Outgoing IKEv2 Requests: 50 accepted: 50 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
happy#exit -
Adobe reader x: signature digest algorithm
Hi,
I have created a pdf with Adobe Acrobat, with the signing attribute on and it has an empty signature field.
If I sign this document using a brand new self-signed windows digital ID Adobe Reader uses as signing algorithm SHA256, if I use (via PKCS11) a certificate contanied in a smartcard, the hash algorithm used is SHA1... for the italian signature law the hash signing alg must be SHA256.
My settings in Edit - Preferences - Security - Advanced Preferences - Creation is:
Default signature Signing Format: CAdES Equivalent
(but it acts the same with PKCS#7 Detached)
Is there a way to always use SHA256 in signing?Could you please try turning off reader X protected mode and check if you continue to see the problem? You could turn off protected mode using following steps:
1. Launch Reader X and select Edit->Preferences...
2. Select General from left navigation
3. Under application startup uncheck "Enable Protected Mode at Startup"
Note: You should switch "ON" protected mode after verifying the problem. Purpose of Reader X Protected Mode is to keep your system safe from PDF based exploits and keeping protected mode OFF will leave your system vulnerable. -
How to setup a template to issue SHA1 certs if I have a SHA256 chain
Hi All
Can any one tell me how to setup a template to issue SHA1 certs if I have a SHA256 chain. I looked at the templates and I didn’t see where it is specified?
Puneet SinghCertificate signature algorithm is CA-wide settings and independent from certificate templates. You have to configure your CA to use SHA1 signature:
certutil -setreg ca\csp\cnghashalgorithm sha1
net stop certsvc && net start certsvc
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool. -
Certreq -policy Changing signing algorithm
We are trying to create a qualified subordination CSR using a SHA256 signature, however the request keeps coming back as being signed using SHA1. We would like the signature to be SHA-256 for the CSR, not just applied by the CA signature.
The CA certificate and the Qualified Subordination signing certificate both have SHA-256 as the signature algorithm (these were both created using GUI where there is the signature algorithm dropdown). This is being done on 2008 Enterprise R1 OS / Stand-alone
subordinate CA (policy tier). We are using the 'certreq -policy' command and are using a policy.inf file. We have not been able to locate an area within the policy.inf that would specify which hash to use ("[NewRequest]" is not appropriate for this file).
The command syntax description from "certutil -policy -?" indicates that there should be a "-hash HashAlgorithm" option that could be used, however we are not able to determine what name format to use (we have tried sha256, sha256RSA, rsasha256, sha-256,
and even sha1, sha-1, sha1rsa, and rsasha1).
Any ideas? Thanks in advance...Thanks, Hasain, but unfortunately your answer does not relate to my question. I know how to create a CSR from and inf file.
I am actually trying to create a qualified subordination request from an existing CA certificate as part of a cross-signing process with a trusted 3rd party. Both the qualified subordination signing certificate and the CA certificate were requested
and issued using SHA256, but I could use the GUI for doing that. I am not seeing a way to use the GUI for creating a cross signing request (if there is a way to do this instead of certreq -policy, I would happily take that as an answer, too).
I'm not seeing how certreq -new could be used for this. certreq -new -? shows a 'configfilein' in the displayed fields, but it is not shown in the command usage. I see where I could specify the QS signing certificate using the -cert option.
certreq.exe -sign -cert QSSign_Hash Request.inf Request.req
Where would the RequestFileIn go?
certreq.exe -policy -cert QSSign_Hash CA.cer Policy.inf XSign.req
I can see that for -policy there are "-alt" and "-hash HashAlgorithm" options but it is unclear how to use these. I think this is what I need - I just can't get either or both of them to work - they both return 'unknown argument.'
I can create the request just fine with the default sha-1 signature hash, but using sha-2 is being difficult. Do we need to maybe set it in the registry to only sign using sha256?
Thanks again for your assistance.
Maybe you are looking for
-
How about a 'suggestions' section? or something like that?
How about make a section where users can suggest features that they wish implemented on apple products? For a start, I would like to make a suggestion to itunes. How about give an option to choose which part of the ipod/iphone/ipad to sync? For examp
-
Configuring Admin Util to allow me to use VPN AND surf the rest of the net
I am having a problem when I connect to my work network via VPN. When I do, I can no longer connect to the rest of the Internet. I was able to do this until I started using an Express (so it has been allowed by my work network). Here's my setup: Expr
-
Hello All, I searched the forums to see if my question had already been answered, but I couldn't find it. My apologies in advance if this, in fact, is solved. I am having some issues with my installation of Windows 7 on my Mac Mini 2010 model 2.4Ghz
-
When I print a pdf document some of the lines of text are a lighter black than the rest of the copy. This only happens with pdfs and it isn't always in the same location on the page. Are there settings I'm missing?
-
JSP, BC4J, Udating records: Dates
Hi, I have a JSP application that has several date fields. I have a calender bean to populate the fields. The values are entered as "YYYY-MM-DD". When all the fields are required to be updated, the update proceeds without a problem and the updated da