[openssl-users] Why is this OCSP response reporting a hash using SHA1?

Robert Moskowitz rgm at htt-consult.com
Mon Sep 11 16:16:27 UTC 2017



On 09/08/2017 10:08 PM, Dr. Stephen Henson wrote:
> On Fri, Sep 08, 2017, Robert Moskowitz wrote:
>
>> I am using the test responder:
>>
>>     openssl ocsp -port 2560 -text -rmd sha256\
>>           -index index.txt \
>>           -CA certs/ca-chain.cert.pem \
>>           -rkey private/$ocspurl.key.pem \
>>           -rsigner certs/$ocspurl.cert.pem \
>>           -nrequest 1
>>
>>
>> What is the SHA1 hash report about?  It comes right after the line:
>> Certificate ID:
>>
>>      Certificate ID:
>>        Hash Algorithm: sha1
>>        Issuer Name Hash: CA1F5832FA387F0127D8E0583F7331D1B903DBF0
>>        Issuer Key Hash: A3278D00B053BF259193A4833E669C451DAD36E0
>>        Serial Number: 762900CAB55A4762
> It's the hash algorithm used to hash the issuer name and key to identify them.

And how do you get it to use sha256?

I would think that the -rmd sha256 in the responder command would that?  
What does it do anyway?  It is listed in the -help:

  -rmd val                Digest Algorithm to use in signature of OCSP 
response

but not in the man page.

Ah,  put -sha256 in the CLIENT request.  Seems kind of backward.  Or at 
least the server should have some control over the hash used?

thanks

Bob



More information about the openssl-users mailing list