Which Root CA still issues SHA-1 ssl certificates?

左心房为你撑大大i 提交于 2020-01-07 00:54:07

问题


Is there any CA that still issues SHA-1 certificates? I need it for TR management to manage devices with base firmware that does not support sha256.


回答1:


imho, Public CA's will no longer issues SHA-1 certificates; they are bounded by the strict guidance of the Certificate Authority/Browser Forum to no longer issue new server certificates with SHA1 signature algorithm.

7.1.3. Algorithm Object Identifiers

Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA‐1 hash algorithm. CAs MAY continue to sign certificates to verify OCSP responses using SHA1 until 1 January 2017. This Section 7.1.3 does not apply to Root CA or CA cross certificates. CAs MAY continue to use their existing SHA‐1 Root Certificates. SHA‐2 Subscriber certificates SHOULD NOT chain up to a SHA‐1 Subordinate CA Certificate.

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.7.pdf



来源:https://stackoverflow.com/questions/35702419/which-root-ca-still-issues-sha-1-ssl-certificates

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!