JDK-8143916 : Release Note: keytool default cert fingerprint algorithm is now SHA-1
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6u111,7
  • Priority: P4
  • Status: Closed
  • Resolution: Delivered
  • OS: generic
  • CPU: generic
  • Submitted: 2015-11-24
  • Updated: 2022-06-14
  • Resolved: 2017-10-04
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6u111Resolved
Description
The default cert fingerprint algorithm (emitted by keytool -list, -printcert and other subcommands) now uses SHA-1 instead of MD5.
Comments
After this sentence: "The default keysize has been increased to 2048 bits for RSA based keys." we should add: "Users wishing to revert to the old behavior can use the -keysize option with the -genkeypair keytool option." A small nit is that "behavior" is the preferred American English spelling, instead of "behaviour". Not sure if we have any guidelines on that. --Sean On 04/15/2016 03:12 AM, Seán Coffey wrote: > Nearly there Cliff! I'd like to combine all keytool changes into one > paragraph. Apologies if I wasn't clear. > > remove this paragraph : > >> *keytool default cert fingerprint algorithm is now SHA-1* >> The default cert fingerprint algorithm (emitted by keytool -list, >> -printcert and other subcommands) now uses SHA-1 instead of MD5 with >> this JDK 6u release. The default keytool and jarsigner signature >> algorithm has changed from SHA1withRSA to SHA256withRSA for RSA based >> certificates. The default keytool signature algorithm has changed from >> SHA1withECDSA to SHA256withECDSA for EC based certificates. >> >> SeeJDK-6709758 <https://bugs.openjdk.java.net/browse/JDK-6709758>. >> > > and see in red what I've added to the other keytool paragraph you > currently have : (one sentence and bug ID) > >> **Modifications to keytool for this release** >> The default keysize has been increased to 2048 bits for RSA based keys. >> >> The default cert fingerprint algorithm (emitted by keytool -list, >> -printcert and other subcommands) now uses SHA-1 instead of MD5 >> >> The default keytool signature algorithm has changed from SHA1withRSA >> to SHA256withRSA for RSA based certificates. The default keytool >> signature algorithm has changed from SHA1withECDSA to SHA256withECDSA >> for EC based certificates. >> >> Users wishing to revert to the old behaviour can use the-sigalg option >> with the-certreq,-genkeypairkeytool options. >> >> JDK-8139084 (not public) SeeJDK-6709758 >> <https://bugs.openjdk.java.net/browse/JDK-6709758>. >> > > Regards, > Sean. > > On 15/04/2016 01:08, Clifford Wayne wrote: >> I've incorporated the updated input in the 6u111 Release Notes. >> >> Some of the comments below applied to JDK-8139084 (Modifications to >> jarsigner and keytool) and other comments applied to JDK-6709758 >> (keytool default cert fingerprint algorithm is now SHA-1). >> >> I updated both items in the Release Notes with the comments; however, >> the updates that I've made need to be checked to be sure this is what is >> wanted/needed. >> >> The link to the staged Release Notes is below: >> >> http://www-content.oracle.com/technetwork/java/javase/6u111-relnotes-2775857.html?SSContributor=true >> >> The descriptions in the JBS items will also need to be updated. Let me >> know if any changes are needed or if they are ok to publish. >> >> Cliff
15-04-2016
Release Notes for 6u111 have been updated with this content.
04-01-2016