Note that SHA-1 is being deprecated by NIST for generating new signatures. You may want to consider a SHA-2 algorithm (e.g., SHA-224 or SHA-256). In principle it's still okay to *validate* legacy signatures, e.g., SHA-1.
-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Walter H. Sent: Wednesday, October 30, 2013 11:05 To: openssl-users@openssl.org Subject: Re: Signature Algorithm that was disabled because that algorithm is not secure Hello, On 30.10.2013 18:17, Marcus Schmitt wrote: > I have one problem after I created a root-CA, intermediate-CA and a server > certificate. After I configured my apache with the server cert, key and > intermediate cert and importing the root-CA to firefox 24 I received the > following error when I browse to the website: > > Could not verify this certificate because it was signed using a > signature algoritm that was disabled because that algorithm is not > secure > > > I assume the reason for this error message is that I see "Certificate > Signatore Algorithm" is "PKCS #1 MD5 With RSA Encryption" for the > Intermediate Certificate and Server Certificate. For the root-CA I see "PKCS > #1 SHA With RSA Encryption". > > Unfortunately I was not able to find the reason for this issue, please find > the lines I use below: > The problem is not in one of these lines, it is in the config file openssl.cnf > openssl genrsa -des3 -out private/cakey.pem 2048 -config ./openssl.cnf > openssl req -new -x509 -nodes -days 3650 -key private/cakey.pem -out > certs/cacert.pem -config openssl.cnf > > openssl genrsa -des3 -out private/cakey.pem 2048 -config ./openssl.cnf > openssl req -new -sha1 -key private/cakey.pem -out csr/ica.csr -config > ./openssl.cnf openssl ca -config ./openssl.cnf -days 1825 -md sha1 -in > ica.csr -out ica.crt -extensions v3_ca > > openssl genrsa -des3 -out server.key 2048 -config ./openssl.cnf > openssl req -new -sha1 -key private/server.key -out csr/server.csr > -config ./openssl.cnf openssl ca -config ./openssl.cnf -days 730 -md > sha1 -in server.csr -out server.crt > look if you find there something similiar to default_md = md5 change this to default_md = sha1 and generate your certificates the same way as above Greetings, Walter ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ---------------------------------------------------------------------- The information contained in this transmission may be confidential. Any disclosure, copying, or further distribution of confidential information is not permitted unless such privilege is explicitly granted in writing by Quantum. Quantum reserves the right to have electronic communications, including email and attachments, sent across its networks filtered through anti virus and spam software programs and retain such messages in order to comply with applicable data security and retention requirements. Quantum is not responsible for the proper and complete transmission of the substance of this communication or for any delay in its receipt. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
