Michael, Firstly, thankyou for your active support via this forum.
>No, this was not a reason and I find out via "grep -r default_md *" that >we use md5 only in the CA-certificate. I think we should change this. >Any comments? I probably should have looked deeper before making too many comments. I can say that when looking at the generated CA certificate you can make it produce a sha1 thumbprint by setting the default_md to sha1 in ca.conf. However, the SignatureAlgorithm remains as md5RSA. I suspect that this would also happen in other places within OpenCA because it is probably sharing the key/cert generation code, and that using the default_md specification in User.conf would be no different to when using it in ca.conf. I think the options for the SignatureAlgorithm and the Thumbprint are specified separately, and that default_md sets the Thumbprint algorithm but not the SignatureAlgorithm. I have found that: if default_md = md5 then Thumbprint algorithm is MD5 AND SignatureAlgorithm is MD5 if default_md = sha1 then Thumbprint algorithm is SHA1 and SignatureAlgorithm is MD5 I expected that when default_md = sha1 that both the thumbprint algorithm AND the SignatureAlgorithm with be SHA1. This was not the case. If you look at Massimiliano's certificate in his signed e-mails to this list. When viewed with IE or Outlook that they also use md5RSA for the Signature algorithm and sha1 for the thumbprint. This sounds like the same behaviour that I have described when creating a CA certificate above. Is my machine behaving badly? or is the behaviour also happening elsewhere? Regards, Craig ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
