Once upon a time, Ralf Ertzinger <fedora@xxxxxxxxxxxxxx> said: > this document is about a quite special case (regarding lawfully binding > digital signatures) and not about SSL in general. I took a short look at software support for other SSL hashes: - OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating a signing request or signing a cert - NSS: certutil doesn't seem to offer the option to set the digest (I didn't see one in -H output and there's no man/info page) - GnuTLS: certtool supports up to SHA512 for signing, although it only used SHA-1 for a signing request (it appeared to ignore the --hash option when generating a request) Once I had a SHA512 signed cert, OpenSSL recognized it and recognized the SHA512 signature. It looks like NSS can't just look at cert PEM file; you have to create a cert database and import the cert; I did that, and it didn't give an error, but I didn't see a way to be "verbose" about it to see that it actually recognized the signature algorithm. This was all on F14. I tried a few RHEL servers as well; on RHEL 4, OpenSSL did not recognize the signature algorithm (RHEL 5/6 did). I didn't try to set up Apache with a SHA512 cert to see what browsers recognized it. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
