#54 SHA256 don't work


I try to use XCA 0.9 on Ubuntu 10.04.

I would to create a new CA with a dsa or ecdsa private key. and SHA256 as signature algorithm.
But, my generated CA is "ecdsa-with-SHA1" and i can't generate SHA256 hashes for my future certs.
Can you tell me why ?


  • Christian Hohnstaedt

    DSA and EC is specified in RFC #3279 Chapter 2.2.2 and 2.2.3 only for use with SHA1.
    Only RFC #5758 (Jan 2010) defines OIDs for DSA and EC with SHA2.

    However, AFAICS this is not yet supported in OpenSSL 1.0.0.
    SHA2 of course is implemented, but not in conjunction with DSA and the corresponding OID "id-dsa-with-sha2".

    I also doubt that many other apps/libs already implemented them, so they would not be able to verify your certs.

    Instead of implementing it myself, I will wait for OpenSSL to support it and then use it in XCA.

  • John

    John - 2013-11-19

    Seems that we can nowadays generate ECDSA CA having
    Signature Algorithm: ecdsa-with-SHA512
    with openssl command line (OpenSSL 1.0.1e) but not with XCA (always uses SHA-1).

    Would it be possible to extend XCA with these new digests?


  • Christian Hohnstaedt

    Yes, I'm working on it. A release will follow soon.

  • David von Oheimb

    When can we expect the new release?

  • Christian Hohnstaedt

    Now :-)

    XCA 1.0.0 released

  • Christian Hohnstaedt

    • status: open --> closed
    • Group: --> Next_Release_(example)

Log in to post a comment.