By default x.509 certificates created by BoKS internal Certificate Authority (CA) are signed by SHA1/RSA. However many vendors are replacing the SHA-1 algorithm with SHA-2.


To change the default hash algorithm, edit $BOKS_etc/ca/ca_int/ca_int.cfg and change the value of the default_md parameter in this file.

E.g. to change the algorithm to SHA-256, use the value sha256:

default_md = sha256 # md to use


  • In versions of BoKS before 6.6.2 not all components are compatible with SHA-2 certificates. See Knowledge Base article Reference: Support for SHA-2 signed x.509 certificates in FoxT products for a summary.
  • The change will affect any new certificates created. Existing certificates will remain unchanged.
  • You should create a new root CA and optional subordinate CA certificates and use as issuer for any new end-entity certificates.
  • The old CA chain should be kept as long as there are valid end-entity certificates in use issued by that CA.
  • To make sure the old CA chain can only be used for verification and not to issue new certificates, you can clear the INTERNAL classification flag by executing the following command on the BoKS Master:

    BoKS # cacreds mod -n CA-dname -i NULL

    Note however that a side effect of removing the INTERNAL flag from the CA is that it will be listed as an External CA in the FCC administration GUI.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018