Changes between Initial Version and Version 1 of Ticket #13379, comment 30


Ignore:
Timestamp:
Nov 27, 2014, 12:01:10 PM (4 years ago)
Author:
gk
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #13379, comment 30

    initial v1  
    11There are some wrinkles here when generating certificates:
    22
    3 1) We are stuck with SHA1 for the moment which is not optimal to say the least. I've opened https://bugzilla.mozilla.org/show_bug.cgi?id=1105689 to get that fixed upstream. Not sure how easy it would be to loosen that constraint ourselves. Maybe we'd need to just get rid of that check in https://mxr.mozilla.org/mozilla-central/source/modules/libmar/verify/mar_verify.c#330
     31) We are stuck with SHA1 for the moment which is not optimal to say the least. I've opened https://bugzilla.mozilla.org/show_bug.cgi?id=1105689 to get that fixed upstream. Not sure how easy it would be to loosen that constraint ourselves. Maybe we'd just need to get rid of that check in https://mxr.mozilla.org/mozilla-central/source/modules/libmar/verify/mar_verify.c#330.
    44
    5 2) Newer `certuils` versions use SHA256 by default. This got implemented by https://bugzilla.mozilla.org/show_bug.cgi?id=1058933. So be sure to check the resulting cert with something like `openssl x509 -in marsigner2.der -inform der -text | grep sha1WithRSAEncryption`
     52) Newer `certuils` versions use SHA256 by default. This got implemented by https://bugzilla.mozilla.org/show_bug.cgi?id=1058933. So be sure to check the resulting cert with something like `openssl x509 -in marsigner2.der -inform der -text | grep sha1WithRSAEncryption`.
    66
    7 3) If you happen to have such a newer `certutils` you may change the default hash algorithm with the `-Z` option which is basically undocumented (this is https://bugzilla.mozilla.org/show_bug.cgi?id=1058870)
     73) If you happen to have such a newer `certutils` you may change the default hash algorithm with the `-Z` option which is basically undocumented (this is https://bugzilla.mozilla.org/show_bug.cgi?id=1058870).
    88
    994) It is not possible to store two certs with the same CN in the database (even if the nicknames are different).