JDK-8176483 : Keytool does not create SHA2 fingerprint in gencert
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,9
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2017-02-28
  • Updated: 2017-03-13
  • Resolved: 2017-03-13
Related Reports
Duplicate :  
JDK-8141457 - keytool default cert fingerprint algorithm should be SHA-256
Description
FULL PRODUCT VERSION :
All versions 

ADDITIONAL OS VERSION INFORMATION :
All versions 

A DESCRIPTION OF THE PROBLEM :
With the recent report that SHA1 is no longer safe, the keytool gencert command is not generating a SHA2 fingerprint in the cert even with SHA2 signing alg. 

The community as a whole requires this to be fix I order for our generated certs to be safe. 

The issues that apply to SHA1 does apply to the fingerprint as well. 

I need an ETA when this will be fixed b

REGRESSION.  Last worked in version 6u43

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Simply when using keytool and creating a cert with gencert, we need a way to support a SHA2!fingerprint 

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
The Fingerprint is an identifier used by the platform to locate the certificate in the certificate store. Depending on the platform, the SHA-1 or MD5 Fingerprint may be displayed. It is unrelated to the encryption algorithm of the certificate. So, this should not be a JDK issue.
13-03-2017
From submitter: --------------------- Problem is NOT with the signature. That fine. It the fingerprint which is much much different ��� See attach screen shot and notice that the signing Alg is fine but the fingerprint at the bottom is bad.
13-03-2017
This was fixed in JDK 9: see JDK-8141457. Also in JDK 8, you can use the keytool -v printcert option to emit a SHA2 fingerprint.
13-03-2017
To submitter: ------------------ I used the following keytool commands to generate a certificate and attached is the screen shot showing that the Signature Algorithm is SHA256 which is from the SHA-2 family. Can you please let us know the steps taken by you to generate the certificate that could help us reproduce the issue. keytool -genkeypair -alias rootca1 -keypass welcome1 -keystore castore1 -storepass welcome1 -validity 180 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA keytool -genkeypair -alias democa1 -keypass welcome1 -keystore democastore1 -storepass welcome1 -validity 180 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA keytool -certreq -alias democa1 -keypass welcome1 -keystore democastore1 -storepass welcome1 -sigalg SHA256withRSA -file certsign.csr -v keytool -gencert -alias rootca1 -keystore castore1 -storepass welcome1 -infile certsign.csr -outfile trustcerts1.cer -sigalg SHA256withRSA
10-03-2017