JDK-8249541 : keytool default cert fingerprint algorithm should be SHA-256
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 7-pool,8-pool
  • Submitted: 2020-07-15
  • Updated: 2020-07-17
  • Resolved: 2020-07-17
Related Reports
CSR :  
JDK-8249163 - keytool default cert fingerprint algorithm should be SHA-256
Relates :  
JDK-8249597 - JDK 7/8 keytool documentation needs updating
Relates :  
JDK-8249595 - Update keytool man page
Description
Summary
-------
Update the keytool functionality in upcoming JDK 7u and JDK 8u Oracle releases so that SHA-256 is default certificate fingerprint algorithm (instead of SHA-1)

JDK 9 and later already use SHA-256.

Problem
-------

keytool still uses SHA-1 as the default certificate fingerprint algorithm in JDK 7u/8u. SHA-1 is considered a security risk as of today and should be avoided where possible.

Solution
--------

Update the default algorithm to SHA-256. Since not all other CA and certificate-related tools include the SHA-256 fingerprint, SHA-1 is kept in the full list for interop. reasons.

Specification
-------------

A release note will accompany this change to indicate that SHA-256 is the default fingerprint algorithm.
Comments
Added links to the issues and moving to Approved; thanks.
17-07-2020
[~darcy] I hope the doc tasks are sufficient for this CSR to proceed
17-07-2020
Moving to Provisional, not Approved. [~coffeys], are there any other docs that should be updated for this, like help output for the tool or a man page?
15-07-2020