Hi everyone,
We are deploying a IOS Cisco root CA and the root ca certificate is persistently being generated with an MD5 and SHA1 fingerprint. We have been able to configure the PKI sign identity certificates with SHA256 etc but failed with the root ca.
How do you change the fingerprint on the Root CA to be more secure; ie. SHA256 or SHA512?
Redacted config extract shown below:
crypto pki server ROOTCA
database level complete
database archive pkcs12 password
issuer-name CN=RootCA,ou=pki, o=hash
grant auto trustpoint ROOTCA
hash sha512
lifetime certificate 180
lifetime ca-certificate 730
auto-rollover 90
!
crypto pki trustpoint ROOTCA
revocation-check crl
rsakeypair ROOTCA
regenerate
hash sha256
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 02
Certificate Usage: Signature
Issuer:
cn=RootCA
ou=pki
o=hash
Subject:
cn=RootCA
ou=pki
o=hash
Validity Date:
start date: 10:54:39 UTC Aug 6 2020
end date: 10:54:39 UTC Aug 6 2022
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Signature Algorithm: SHA512 with RSA Encryption
Fingerprint MD5: ***some hash***
Fingerprint SHA1: *** some hash***