Replies: 2 comments 1 reply
-
|
So your CA uses RSA keys, which means it can obviously not sign with Ed25519, RSA keys are only good for RSA signatures as we know. A single CA can not have multiple CA signing keys in use at the same time, that would become very complicated in path building etc for relying parties. Publicly trusted Web PKI (SSL) CAs use different Roots for RSA and EC, it's best practice. If you want to use a CA with Ed25519 I would recommend to create a new CA for that. (PS: to my knowledge there is nothing today that says Ed25519 is more secure than RSA, it more depends on the use case which one you want to use). |
Beta Was this translation helpful? Give feedback.
-
|
Signature algorithm in the certificate profile is normally "same as CA". The option to choose there is if you have an old CA with say SHA1WithRSA, but want to sign the end entity certificates with SHA256WithRSA. The signature algorithm still have to match the CAs key type. |
Beta Was this translation helpful? Give feedback.
-
|
Hello Tomas, Kind regards, |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
we try to increase the security of our certificates and decided to use Ed25519 as the key algorithm.
We have thought that it would be nice when in addition Ed25519 could be used as the signing algorithm.
I'm running EJBCA version 7.11.0.
The issuing CA uses SHA256WithRSA as signing algorithm. But it is possible to change the
signature algorithm within a certificate profile by changing the field "Signature Algorithm".
In the appropriate crypto token I have created a key with algorithm Ed25519.
The documentation "EJBCA CA Concept Guide -> Certificate Authority Overview" describes
how multiple signing algorithms can be connected with specific keys:
"A CA is defined to use several key pairs which are mapped to a purpose. .... Note that the same alias can be used for several mappings."
But I cannot find that within the CA configuration.
For the certificate profile field "Signature Algorithm" there is no documentation at all.
When I try to enroll a certificate I get the following exception:
org.cesecore.certificates.certificate.CertificateCreateException: org.bouncycastle.operator.OperatorCreationException: cannot create signer: cannot identify EdDSA private keySo my question is, is it possible to use a different signature algorithm than defined by the issuing CA?
Kind regards,
Torsten
Beta Was this translation helpful? Give feedback.
All reactions