When executing a TSS GENCERT command with SIGNALG(SHA256) to get an SHA256 certificate, the list output shows that it is OK: ALGORITHM = sha256WithRSAEncryption.
When executing a TSS GENREQ command to produce a file to be signed, the certificate in the file is an SHA1 certificate. Why isn't it an SHA256 digital certificate?
Currently, when we do a TSS GENREQ command, the request PK10 that is produced will be SHA1 even if the CERT was SHA256. This should not be a problem since the signer will replace the signature later. That is the one that will be used once the certificate is added back in to Top Secret.