Updating the signature algorithm

The signature algorithm that PKI Services uses to sign certificates must be based on the key type of the CA certificate. If it is not, PKI Services is unable to start. By default, IKYSETUP creates the CA certificate with an RSA key pair. The default value of the signature algorithm in the pkiserv.conf file is sha–256WithRSAEncryption. You can change the signature algorithm by changing the SigAlg1 value in the CertPolicy section of the pkiserv.conf configuration file. Set SigAlg1 to one of the algorithm identifiers shown in Table 1 for the key type of the CA certificate.

Table 1. Supported signature algorithms for each CA certificate key type
CA certificate key type	Algorithm nickname	Algorithm OID
RSA	`sha-1WithRSAEncryption`	`1.2.840.113549.1.1.5`
	`sha-224WithRSAEncryption`	`1.2.840.113549.1.1.14`
	`sha-256WithRSAEncryption`	`1.2.840.113549.1.1.11`
	`sha-384WithRSAEncryption`	`1.2.840.113549.1.1.12`
	`sha-512WithRSAEncryption`	`1.2.840.113549.1.1.13`
DSA	`id-dsa-with-sha1`	`1.2.840.10040.4.3`
ECC	`ecdsa-with-sha1`	`1.2.840.10045.4.1`
	`ecdsa-with-sha224`	`1.2.840.10045.4.3.1`
	`ecdsa-with-sha256`	`1.2.840.10045.4.3.2`
	`ecdsa-with-sha384`	`1.2.840.10045.4.3.3`
	`ecdsa-with-sha512`	`1.2.840.10045.4.3.4`

Tips: Consider these points when choosing the signature algorithm:

In general, a SHA1 hash is more secure than an MD2 or MD5 hash. MD2 and MD5 have been found to be vulnerable to attack and should not be used.
sha-256WithRSAEncryption is more secure than sha-1WithRSAEncryption, but some browsers cannot install certificates that use sha-256WithRSAEncryption.
The National Institute of Standards and Technology (NIST) recommends that SHA1 not be used after the year 2010.