Replies: 1 comment
-
|
PKCS#12 files is a real PITA to try to make FIPS compliant, and actually make it work with different applications. You have the BCFKS keystore if you want FIPS compliant crypto. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
We just wanted to check if it is possible at all to change the encryption that is used for certs & keys in PKCS#12 keystores to use something better than pbeWithSHA1And3-KeyTripleDES-CBC?
Just we are in the middle of upgrading our EJBCA instance so have been talking with our infosec team who have said that pbeWithSHA1And3-KeyTripleDES-CBC makes them a bit twitchy because it has SHA1 and TripleDES both of which tend to be discouraged by NIST and other standards bodies.
We can see from looking in cesecore.properties that its possible to go back to using pbeWithSHA1And40BitRC2-CBC, however, we wouldn't want to go back to that, as it would be worse.
Thanks
Beta Was this translation helpful? Give feedback.
All reactions