Symantec Critical System Protection support for 2048-bit certificates.


Article ID: 157976


Updated On:


Critical System Protection


Agents need to be checked for compatability with 2048-bit certificates.


Support for 2048-bit keys was introduced in Openssl 0.9.7, and certificates of this type will therefore work with SCSP 5.2.4 and later. However, since SCSP 5.2.9, the keys will be generated with a SHA256 hash. This is not supported until Openssl 0.9.8. They will therefore not work on versions of SCSP prior to 5.2.6 in which Openssl 0.9.8n was introduced.

In order to create 2048-bit certificates on an SCSP 5.2.9 server to be compatible with SCSP 5.2.4 agents, you would need to add the following switch to the command lines mentioned below:

“-sigalg SHA1withRSA”.

SCSP support for 2048-bit certs and SHA256
SCSP Version 2048-bit cert support? SHA256 support? Default SHA version
5.2.4.x Yes No SHA1
5.2.5.x Yes No SHA1
5.2.6.x Yes Yes SHA1
5.2.7.x Yes Yes SHA1
5.2.8.x Yes Yes SHA1
5.2.9.x Yes Yes SHA1