FM Certificates

By default, MKFM will not sign with a 512-bit certificate. It is recommended that you create your FM certificates using RSA 2048 instead of RSA512. For example:

ProtectServer ctcert c -s0 -k -trsa -z512 -lfm
ProtectServer 2 ctcert c -s0 -k -trsa -z2048 -lfm

MKFM now uses SHA-512 instead of SHA-1. To continue using a legacy 512-bit certificate for signing with a SHA-1 hash, you can use the -3 option of the MKFM command, although this is not recommended.

NOTE   For best practice, create your FM certificates using RSA 2048.


Customer Support Portal

SafeNet ProtectToolkit 5.9 Product Documentation  06 January 2020  Copyright 2009-2020 Thales. All rights reserved.