Skip to Content.
Sympa Menu

cacert - testing sha512,384,256,224 keys/certs in support of cacert's new roots

Subject: A better approach to security

List archive

testing sha512,384,256,224 keys/certs in support of cacert's new roots


Chronological Thread 
  • From: Daniel Black <daniel AT cacert.org>
  • To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, cacert-policy AT lists.cacert.org, cacert AT lists.cacert.org
  • Subject: testing sha512,384,256,224 keys/certs in support of cacert's new roots
  • Date: Tue, 30 Mar 2010 00:27:57 +1100
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
  • Organization: CAcert

All,

It was questioned here about the feasibility of sha2 in our new roots 
especially with regard to apache's httpd support.

It seems supporting a higher version that sha1 would be good if we can.
https://lists.cacert.org/wws/arc/cacert-root/2010-03/msg00018.html

It was working for a fairly recent apache httpd version (2.2.14). I'd like 
you 
test in as many applications as you can.

Brief instructions:
SSLCertificateFile eec.pem
SSLCertificateKeyFile eeckey.pem
SSLCACertificatePath roots/
put *root*.pem into /roots and run c_rehash roots/

ssl/tls verifcation can be performed with:
openssl -client -connect localhost:443 -showcerts -verify 3  -CApath root/

eec.pem is a end entity certificate with client, server and codesigning 
enabled.
It is issued off subroot1 which is issued off root.

Here's a list of roots/end user certs for sha{224,256,384,512}withRSA roots, 
keys certs. This url needs a CAcert client certificate to retrieve.
https://lists.cacert.org/wws/d_read/cacert-root/cacerttestroots.zip

Please play around and report back to the 
cacert-sysadm AT lists.cacert.org
 what 
works and doesn't.

Email me if you have troubles.
-- 
Daniel Black
CAcert

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.16.

Top of Page