Crypto Policies - dogtagpki/pki GitHub Wiki
Some encipher or signer algorithms could be disabled by the system crypto policy. To change a specific policy, e.g. adding ML-DSA-44 in Fedora 43, it is possible to modify the NSS configuration in the policies like:
$ sed -i \
's/smime-key-exchange:ECDSA/smime-key-exchange:ML-DSA-44:ECDSA/' \
/etc/crypto-policies/back-ends/nss.config
OpenJDK has its own crypto policy and FIPS configuration but they are always disabled in PKI server and tools. OpenJDK crypto-policy configuration interferes with the JSS security provider loading mechanism so these cannot be used. JSS works with global crypto-policies applied to NSS like above.
To disable FIPS in OpenJDK 17, specify the following Java property:
$ java ... ‑Dcom.redhat.fips=false ... <class>
To disable crypto policies in OpenJDK 25, specify the following Java property:
$ java ... ‑Dredhat.crypto-policies=false ... <class>
Note: PKI server and tools commands always apply these configuration as default.