Description of problem: when trying to generate a self signed certificate with genkey --days 365 host.domain.com it fails with the error Version-Release number of selected component (if applicable): (null): bad certificate request : The certificate was signed using a signature algorithm that is disabled because it is not secure. How reproducible:every time Steps to Reproduce: 1.install crypto-utils and mod_ssl 2.run genkey --days 365 demo.example.com 3.say no to generatig a csr 4.input cert data Actual results: genkey exits with (null): bad certificate request : The certificate was signed using a signature algorithm that is disabled because it is not secure. Expected results:genkey to sign it with a secure algorithm and generate a cert Additional info:
Same for F17.
Same problem in F18 with domaine name as argument.
Same for F17, using genkey from crypto-utils-2.4.1-39.fc17.x86_64 (currently the latest).
This is caused by a change that came when we updated to nss 3.14 from upstream. Support for certificate signatures using the MD5 hash algorithm is now disabled by default. - https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes NSS always gives the user a way for the user to override changes for compatibility. Setting a runtime environment variable via NSS_HASH_ALG_SUPPORT=+MD5 should solve your problem. This a temporary and longer term genkey should use a more secure digest algorithm. In my opinion you shouldn't have to go around overriding default's. Our tools should do the right thing for you. The burden is on me.
I've confirmed that running "export NSS_HASH_ALG_SUPPORT=+MD5" before genkey means the cert can be generated.
(In reply to junk from comment #5) > I've confirmed that running "export NSS_HASH_ALG_SUPPORT=+MD5" before genkey > means the cert can be generated. For me it's not working (Fedora 19). I get same error w/o NSS_HASH_ALG_SUPPORT. Linux skipper 3.9.9-302.fc19.x86_64 #1 SMP Sat Jul 6 13:41:07 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Same for F19
What if in addition to export NSS_HASH_ALG_SUPPORT=+MD5 you also set export NSS_ALLOW_WEAK_SIGNATURE_ALG=1, does it work then?
Same behavior with Fedora 20 Alpha. crypto-utils-2.4.1-44.fc20.x86_64
I was able to create a self signed cert on F19 when both settings were applied.
Default config still fails in Fedora 20. It's also worth noting that overriding the disabling of the MD5 digest algorithm creates a certificate which many browsers will not trust at all which renders this tool pretty useless.
Commit: http://pkgs.fedoraproject.org/gitweb/?p=crypto-utils.git;a=commitdiff;h=900400f9a8e2cb8aad10b8a66aac65d2c0af0f60 Package: crypto-utils-2.4.1-45.fc21 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=493045
Commit: http://pkgs.fedoraproject.org/gitweb/?p=crypto-utils.git;a=commitdiff;h=900400f9a8e2cb8aad10b8a66aac65d2c0af0f60 Package: crypto-utils-2.4.1-45.fc20 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=493061
crypto-utils-2.4.1-45.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/crypto-utils-2.4.1-45.fc20
Commit: http://pkgs.fedoraproject.org/gitweb/?p=crypto-utils.git;a=commitdiff;h=900400f9a8e2cb8aad10b8a66aac65d2c0af0f60 Package: crypto-utils-2.4.1-45.fc19 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=493076
crypto-utils-2.4.1-45.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/crypto-utils-2.4.1-45.fc19
*** Bug 1017960 has been marked as a duplicate of this bug. ***
Package crypto-utils-2.4.1-46.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing crypto-utils-2.4.1-46.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1390/crypto-utils-2.4.1-46.fc19 then log in and leave karma (feedback).
crypto-utils-2.4.1-46.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
crypto-utils-2.4.1-48.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.