Creating cert key for CA: expand availibility of hash algoritms for signing certs

Question

Creating cert key for CA: expand availibility of hash algoritms for signing certs

techge opened this issue 7 years ago · 5 comments

When trying to create a root certificate on OpenPGP Card (signature slot) for a AD CS, only a few hash algorithms for signing certificates issued by the CA can be chosen.
Vincent already suggest to fix it by:

Try to replace MS_STRONG_PROV with MS_ENH_RSA_AES_PROV (you may change PROV_RSA_FULL with PROV_RSA_AES).

I will try to do it, but as I have no working building environment set up yet, it may take some time...

Answer 1 · 2018-05-17T20:17:52.000Z

see 639d935

Answer 2 · 2018-05-19T12:28:14.000Z

Using SHA2 with MS CA requires a KSP and won't work with a CSP

As a proof, Ms Base Smart Card CSP supports only legacy algorithms

Answer 3 · 2018-06-15T08:18:30.000Z

I saw commit 2ab1db2. Is this worth retesting already or WIP?

Answer 4 · 2018-06-15T08:30:33.000Z

KSP is read only (no key generation). Not tested at all.
No WIP for the moment.

Answer 5 · 2018-07-22T16:25:19.000Z

Please test the latest release