Signing CSR With Weak Algorithms

TerraNullis · Sep 11, 2017, 11:58 AM

Upgraded from pfSense 2.3 -> 2.4 to be able to comfortably sign CSRs through the GUI.
And that functionality is there and im all happy about it!
but theres a BUT!

Cert_manager is signing the CSRs with a SHA1 digest. which by todays standards is weak. and google reports on it furiously with red paint all over the page.

Is there any possibility to sign CSRs with a stronger algorithm (sha2(+)) in the GUI?

jimp · Sep 11, 2017, 5:43 PM

You are right, there should be a field for that but there isn't.

I opened https://redmine.pfsense.org/issues/7853 and I have some code ready to push to add it in, plus display the digest algo in the infoblock for each cert.

TerraNullis · Sep 12, 2017, 7:37 AM

tbh, that was a stupid fast integration, thanks alot for a great product and awesome response!