Hi, in our tests we noticed an OpenSSL peculiarity that that might affect OpenCA, too. I don't have the time right now, so I cannot test this currently with the CVS head, but I am quite sure that the problem exists there, too.
Imagine you have a CA policy that demands sha1WithRSAEncryption as signature algorithm througout your CA. (You don't seriously want MD5, do you?) You can set default_md = sha1 in your OpenSSL configuration file for OpenCA and you will get the desired hash algorithm in certificates. However, if you also want sha1WithRSAEncryption in CRLs, it doesn't seem to be possible to configure this in the openssl.cnf file. In fact, I found out that it is seemingly necessary to explicitly call openssl ca -gencrl -md sha1 ... in order to get sha1WithRSAEncryption instead of the default md5WithRSAEncryption. Some people (like us) might want to be able to configure this in the CA configuration. Perhaps I missed something, but I think currently it is not possible set this up. Should it be added to config.xml? cheers Martin ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
