#54 SHA256 don't work

open
nobody
None
5
2014-02-13
2010-09-17
Damien CHEVALIER
No

I try to use XCA 0.9 on Ubuntu 10.04.

I would to create a new CA with a dsa or ecdsa private key. and SHA256 as signature algorithm.
But, my generated CA is "ecdsa-with-SHA1" and i can't generate SHA256 hashes for my future certs.
Can you tell me why ?

Discussion

  • DSA and EC is specified in RFC #3279 Chapter 2.2.2 and 2.2.3 only for use with SHA1.
    Only RFC #5758 (Jan 2010) defines OIDs for DSA and EC with SHA2.

    However, AFAICS this is not yet supported in OpenSSL 1.0.0.
    SHA2 of course is implemented, but not in conjunction with DSA and the corresponding OID "id-dsa-with-sha2".

    I also doubt that many other apps/libs already implemented them, so they would not be able to verify your certs.

    Instead of implementing it myself, I will wait for OpenSSL to support it and then use it in XCA.

     
  • John
    John
    2013-11-19

    Seems that we can nowadays generate ECDSA CA having
    Signature Algorithm: ecdsa-with-SHA512
    with openssl command line (OpenSSL 1.0.1e) but not with XCA (always uses SHA-1).

    Would it be possible to extend XCA with these new digests?

    Thanks!

     
  • Yes, I'm working on it. A release will follow soon.

     
  • dvo
    dvo
    2014-02-13

    When can we expect the new release?