Updating SSL keys on fedoraproject.org 2011-03-10
Chris Adams
cmadams at hiwaay.net
Fri Mar 11 20:18:25 UTC 2011
Once upon a time, Ralf Ertzinger <fedora at camperquake.de> said:
> this document is about a quite special case (regarding lawfully binding
> digital signatures) and not about SSL in general.
I took a short look at software support for other SSL hashes:
- OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating
a signing request or signing a cert
- NSS: certutil doesn't seem to offer the option to set the digest (I
didn't see one in -H output and there's no man/info page)
- GnuTLS: certtool supports up to SHA512 for signing, although it only
used SHA-1 for a signing request (it appeared to ignore the --hash
option when generating a request)
Once I had a SHA512 signed cert, OpenSSL recognized it and recognized
the SHA512 signature. It looks like NSS can't just look at cert PEM
file; you have to create a cert database and import the cert; I did
that, and it didn't give an error, but I didn't see a way to be
"verbose" about it to see that it actually recognized the signature
algorithm.
This was all on F14. I tried a few RHEL servers as well; on RHEL 4,
OpenSSL did not recognize the signature algorithm (RHEL 5/6 did).
I didn't try to set up Apache with a SHA512 cert to see what browsers
recognized it.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the devel
mailing list