On Wed, May 28, 2008, Paul Schmehl wrote: > We use Verisign certs for signing and encrypting our email. This year > Verisign changed the algorithm used for their certs from md5RSA to sha1RSA. > Now all my unix and mac clients can no longer import their certs because > openssl apparently doesn't understand that algorithm. > > This is the result of the following command for an md5RSA cert - openssl > pkcs12 -in certname: > > Bag Attributes: <Empty Attributes> > subject=/O=The University of Texas System/OU=VeriSign Trust > Network/OU=Terms of use at https://www.verisign.com/rpa (c)99/OU=Class 2 CA > - OnSite Individual Subscriber/CN=The University of Texas at Dallas CA > issuer=/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification > Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use > only/OU=VeriSign Trust Network > > This is the result of the same command for a sha1RSA cert: > > 88566:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:1294: > 88566:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 > error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:380:Type=PKCS12 > > Is there a roadmap in the development plan for including sha1RSA in the > algorithms that openssl understands? >
OpenSSL has supported sha1+RSA from the very beginning. You wouldn't expect that error if it didn't recognize the algorithm.... even for totally unsupported algorithms OpenSSL will still parse the certificates. I'd say that whatever you are feeding into 'openssl pkcs12' is not in PKCS#12 format. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
