Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8249541

keytool default cert fingerprint algorithm should be SHA-256

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 7-pool, 8-pool
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Interface Kind:
      add/remove command in $JDK/bin

      Description

      Summary

      Update the keytool functionality in upcoming JDK 7u and JDK 8u Oracle releases so that SHA-256 is default certificate fingerprint algorithm (instead of SHA-1)

      JDK 9 and later already use SHA-256.

      Problem

      keytool still uses SHA-1 as the default certificate fingerprint algorithm in JDK 7u/8u. SHA-1 is considered a security risk as of today and should be avoided where possible.

      Solution

      Update the default algorithm to SHA-256. Since not all other CA and certificate-related tools include the SHA-256 fingerprint, SHA-1 is kept in the full list for interop. reasons.

      Specification

      A release note will accompany this change to indicate that SHA-256 is the default fingerprint algorithm.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              coffeys Sean Coffey
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: