On Fri, Jul 26, 2013, Perrow, Graeme wrote: > If I do "openssl x509 -in mycert.crt -text" I see "Signature Algorithm: > sha1WithRSAEncryption". There's no mention of MD5 here but since OpenSSL is > attempting to load it, I assume it's using the MD5-SHA1 combination. If that > *is* permitted, why am I getting the "disabled for FIPS" error? >
The "traditional" algorithm used to encrypt private keys uses MD5 for key derivation. This is not a permitted FIPS usage so it is banned in FIPS mode. If you create a private key in FIPS mode (which you should do anyway) it will use the more standard PKCS#8 format which uses SHA1 for key derivation and will work fine. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org