A customer got ERR_CERT_WEAK_SIGNATURE_ALGORITHM when trying to use z/OS certificates with the MQ Web interface. It was not easy to find out what the solution was.
From a Google Chrome help page it mention that it may be caused by the use of SHA1. This is a very week hashing, and is no longer supported.
We used Chrome to display the certificate (we also used the RACDCERT LIST command) This showed
Signing Algorithm: sha1RSA Key Type: RSA Key Size: 1024
So this show the SHA1 is being used.
The documentation for RACDCERT GENCERT shows the hashing algorithm is used for signing.
For RSA / DSA and the keysize is less than 2048 bits then SHA-1
For RSA / DSA and the keysize is 2048 bits or longer then SHA-256
For NISRECC or BPECC you get SHA-384 or SHA-512 - depending on the key size.
We changed the definitions to
Signing Algorithm: sha256RSA Key Usage: HANDSHAKE, DATAENCRYPT, DOCSIGN Key Type: RSA Key Size: 2048
With BPECC SIZE(512)
Signing Algorithm: sha512ECDSA Key Usage: HANDSHAKE, DOCSIGN Key Type: Brainpool ECC Key Size: 512 Note, we received message IRRD156I Keyusage is incompatible with Key algorithm.
and so we had to remove KEYUSAGE(HANDSHAKE