I couldn't find a configuration file way of making OpenCA send -sha1 to OpenSSL
so it would use sha1 for the signature algorithm.
OpenSSL defaults to MD5, although this can be changed by specifiying -sha1 on
the command-line.
Patching OpenSSL.pm to send -sha1 to OpenSSL seems to do the trick. (attached).
Since sha1 is theoritically stronger than md5 so I wonder if this should be
the default for OpenCA, or, is MD5 required for compatibility with early versions
of Netscape?
Craig.
305c305
< my $command = "$self->{shell} req -new ";
---
> my $command = "$self->{shell} req -new -sha1 ";
444c444
< my $command = "$self->{shell} req -x509 ";
---
> my $command = "$self->{shell} req -x509 -sha1 ";
