I created a root CA with XCA (0.6.4) and exported it in PEM format (.crt). When I open it in Windows XP SP2 I get the message 'The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered.' and 'This certificate has an nonvalid digital signature.'
If I try to import it in IE7 it says 'import successful' but it will not show up into the 'Thrusted Root Certificate Authorities' tab.
Am I doing something wrong? I used the CA template to create it...
your self-created/self-signed root ca certificate is untrusted. windows has no way to verify it's authenticity. you need to tell windows/ie to trust the cert as a ca cert.
if you need certs that are trusted everywhere, you need to get one from a certificate authority, such as verisign et al.
Thanks for answering but that isn't really the problem. A certificate that is untrusted to the OS/IE can always be imported into the trusted root certificate authorities and be set to trusted by an admin user. In this case it's not untrusted but somehow 'corrupt' to the OS.
It seems the problem lies with the SHA256 signature algorithm that is set to default. I used SHA 1 the second time and I've got a working cert now.
This problem is also discussed overhere:
However, I'm not sure about the implications of using SHA 1 above SHA 256. Can anyone shine some light on that?
ah, yes. windows only supports sha1. i have had the same issue as well. obviously it is less secure. but better than nothing i guess.
sorry for misinterpreting your question. i thought you were worried about the trust issues.
Well, we'll only be using it locally on the LAN to get rid of these troublesome IE7 certificate warning screens so it's not really an issue if it's less secure.
Thanks for the quick response anyway.
This is an old thread, but just to be clear, Windows no longer even supports SHA1, which is insecure. XCA should most certainly be changed so that SHA1 is not longer its default hashing algorithm in 2017. Shame on XCA.
Log in to post a comment.