search cancel

Symantec Critical System Protection support for 2048-bit certificates.


Article ID: 160881


Updated On:


Critical System Protection


The security of the certificates used by SCSP need to be increased from the default 1024-bit to 2048-bit, and agent compatability needs to be verified.


Support for 2048-bit keys was introduced in Openssl 0.9.7, and certificates of this type will therefore work with SCSP 5.2.4 and later. However, since SCSP 5.2.9, the keys will be generated with a SHA256 hash. This is not supported until Openssl 0.9.8. They will therefore not work on versions of SCSP prior to 5.2.6 in which Openssl 0.9.8n was introduced.

In order to create 2048-bit certificates on an SCSP 5.2.9 server to be compatible with SCSP 5.2.4 agents, you would need to add the following switch to the command lines mentioned below:

“-sigalg SHA1withRSA”.

SCSP support for 2048-bit certs and SHA256
SCSP Version 2048-bit cert support? SHA256 support? Default SHA version
5.2.4.x Yes No SHA1
5.2.5.x Yes No SHA1
5.2.6.x Yes Yes SHA1
5.2.7.x Yes Yes SHA1
5.2.8.x Yes Yes SHA1
5.2.9.x Yes Yes SHA1