4.6 Configuring the PIV server hash algorithm
You can specify the PIV server hash algorithm. PIV data can be hashed using SHA256 (which is required for PIV compliance) or SHA1 (for systems that do not require full PIV compliance). The default is SHA 256.
- From the Configuration category, select Security Settings.
- Click the Server tab.
-
Select a value for the PIV Server hash algorithm option.
You can select one of the following:
-
SHA1
-
SHA256
-
- Click Save changes.
Note: Changing the PIV server hash algorithm has an impact on existing issued cards if you use MyID to renew certificates on a card or perform updates to the content of the card after it is issued. For example, when you issue cards with a SHA-256 hash and then modify the MyID configuration to revert back to SHA-1, the collection of certificate renewals will fail due to a hash mismatch error. Other affected processes include collecting a key recovery, or adding additional certificates to the card.
You must set this option to SHA256 for PIV compliance and to follow best security practice. You are not recommended to run with SHA1 on a production system.