[JDK-8249541] keytool default cert fingerprint algorithm should be SHA-256 - Java Bug System

XML

Word

Printable

Details

Type: CSR
Status: Closed
Priority: P4
Resolution: Approved
Fix Version/s: 7-pool, 8-pool
Component/s: security-libs
Labels:
None

Subcomponent:
java.security
Compatibility Kind:

behavioral
Compatibility Risk:
minimal
Interface Kind:

add/remove command in $JDK/bin

Description

Summary

Update the keytool functionality in upcoming JDK 7u and JDK 8u Oracle releases so that SHA-256 is default certificate fingerprint algorithm (instead of SHA-1)

JDK 9 and later already use SHA-256.

Problem

keytool still uses SHA-1 as the default certificate fingerprint algorithm in JDK 7u/8u. SHA-1 is considered a security risk as of today and should be avoided where possible.

Solution

Update the default algorithm to SHA-256. Since not all other CA and certificate-related tools include the SHA-256 fingerprint, SHA-1 is kept in the full list for interop. reasons.

Specification

A release note will accompany this change to indicate that SHA-256 is the default fingerprint algorithm.

Attachments

Issue Links

csr of

JDK-8249163 keytool default cert fingerprint algorithm should be SHA-256

Resolved

relates to

JDK-8249595 Update keytool man page

Resolved

JDK-8249597 JDK 7/8 keytool documentation needs updating

Resolved

Activity

People

Assignee:: Sean Coffey

Reporter:: Sean Mullan

Reviewed By:: Sean Mullan

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020-07-15 07:13

Updated:: 2020-07-17 12:29

Resolved:: 2020-07-17 12:29