SHA2 Certificates on Mac

cindySingh
New Contributor III

Hi Mac Champs,
Im facing hard times helping the Security Team implement SHA2 for Mac.
I have a profile to go and pull .cer from the Certificate Authority but when it goes and knocks the door, it goes with 2048bit Keylength and the request is denied. Has someone implemented SHA2 with 4096 bit length?

Thanks a lot!
CS

4 REPLIES 4

paul_love
New Contributor

Hi,
Is this an AD Certificate? a SCEP certificate?.

If an AD Certificate, then the keylength is configured on the certificate template.
If SCEP, it looks like Casper only supports 2048 bits

cindySingh
New Contributor III

Hi Paul, this is an AD certificate. Yes the key length is configured on the template according to the certificate team, but when i create a Config Profile to pull certificate from CA, the request from my Mac goes as 2048 only and it gets denied.
The cert team says the request is getting denied because the Mac is requesting with lower key length.

cindySingh
New Contributor III

Finally after banging my head, I found the way to do this:

cindyzMac:~ cinSin$ sudo openssl req -nodes -newkey rsa:4096 -out cindyzMac.domin.com.csr

This does the job of creating SHA2 csr. Hope this will help someone.

Thankingfullistic
:)

alexjdale
Valued Contributor III

You can set the keysize on 10.11 and higher in the configuration profile. Not sure if JAMF supports that, but I don't use the JSS for profiles.

https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW238