There’s a lot going on here. 1) The discussion about /etc/pki/tls/cert.pem and ca-certificates belongs with your distro 2) Assuming your distro ships the Mozilla Root Store, which few do correctly and successfully, the discussion about root certificates belongs with mozilla.dev.security.policy instead 3) However, the signature algorithm on a root certificate does not matter, because the signature on the root isn’t used. Root certificates are just used as RFC5280 trust anchors, which means only the encoded Subject and subjectPublicKeyInfo matter.
Hopefully that addresses your concerns! On Mon, Apr 13, 2020 at 10:33 PM zhujianwei (C) <zhujianw...@huawei.com> wrote: > Hi, dev-tech-crypto > > I found /etc/pki/tls/cert.pem using 'Signature Algorithm: > sha1WithRSAEncryption' from ca-certificates package. It is not safe > algorithm. > This is an unsafe algorithm. Are there plans to update to use a more > secure algorithm? > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto