Details
-
Type:
CSR
-
Status: Closed
-
Priority:
P4
-
Resolution: Approved
-
Component/s: security-libs
-
Labels:None
-
Subcomponent:
-
Compatibility Kind:behavioral
-
Compatibility Risk:minimal
-
Interface Kind:add/remove command in $JDK/bin
Description
Summary
Update the keytool functionality in upcoming JDK 7u and JDK 8u Oracle releases so that SHA-256 is default certificate fingerprint algorithm (instead of SHA-1)
JDK 9 and later already use SHA-256.
Problem
keytool still uses SHA-1 as the default certificate fingerprint algorithm in JDK 7u/8u. SHA-1 is considered a security risk as of today and should be avoided where possible.
Solution
Update the default algorithm to SHA-256. Since not all other CA and certificate-related tools include the SHA-256 fingerprint, SHA-1 is kept in the full list for interop. reasons.
Specification
A release note will accompany this change to indicate that SHA-256 is the default fingerprint algorithm.
Attachments
Issue Links
- csr of
-
JDK-8249163 keytool default cert fingerprint algorithm should be SHA-256
-
- Resolved
-
- relates to
-
JDK-8249595 Update keytool man page
-
- Resolved
-
-
JDK-8249597 JDK 7/8 keytool documentation needs updating
-
- Resolved
-