2.6. Setting the SKI Hashing Algorithm

By default, Certificate System uses the SHA-1 hashing algorithm to generate the Subject Key Identifier (SKI) certificate extension when issuing a new certificate. However, you can set a different algorithm in certificate profiles. The following algorithms are supported:
  • SHA-1
  • SHA-256
  • SHA-384
  • SHA-512
For example, edit the caUserCert enrollment profile to issue a Certificate Authority (CA) signing certificate with a Subject Key Identifier (SKI) extension composed of the SHA-512 hash:
  1. Disable the caUserCert profile:
    # pki -d ~/.dogtag/nssdb/ -c password -p 8080 \
         -n "PKI Administrator for example.com" ca-profile-disable caUserCert
  2. Edit the caUserCert profile:
    # pki -d ~/.dogtag/nssdb/ -c password -p 8080 \
         -n "PKI Administrator for example.com" ca-profile-edit caUserCert
    1. Add a new policy for the hashing algorithm with a unique set number for the profile. For example:
      policyset.userCertSet.1.constraint.class_id=noConstraintImpl
      policyset.userCertSet.11.constraint.name=No Constraint
      policyset.userCertSet.11.default.class_id=subjectKeyIdentifierExtDefaultImpl
      policyset.userCertSet.11.default.name=Subject Key Identifier Default
      policyset.userCertSet.11.default.params.messageDigest=SHA-512
      The previous example uses 11 as the set number.
    2. Append the new policy set number to the policyset.userCertSet.list parameter. For example:
      policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,11
    3. Save the profile.
  3. Enable the caUserCert profile:
    # pki -d ~/.dogtag/nssdb/ -c password -p 8080 \
         -n "PKI Administrator for example.com" ca-profile-enable caUserCert