after i generate a new ca with sha1 signature algorithm it works.
now i know, that windows xp whithout xp3 does not support sha256.
with that knowledge i testet the import on a sp3 machine and it works.
what is the disadvantage i we use certs with sha1?
thank you for your help.
regards
Andreas Schubert
Transline Deutschland Dr.-Ing. Sturz GmbH
···
"Martijn Brinkers" <m.brinkers(a)pobox.com> wrote on 15.07.2009 21:58:29:
That's really strange. I have tested it with different windows xp
installations. Also others have been able to import the pfx without
problems. So the main question now is what's different in your setup?
I have seen problems installing certs in the past when access to the
registry was refused for some actions (the certs are imported into the
registry). Perhaps a virus scanner does not allow you to install a
root? What happens when you install only the root (as a cer file) into
the root store? Is it also installed into the intermediate store?
what is the disadvantage i we use certs with sha1?
"sha256 is more secure, while sha1 is more widely used", as wikipedia
tells us:
SHA1 uses a 160 bits digest which is easier to break than a 256bits
digest. But of course, if windows xp doesn't support sha256, you
shouldn't use sha256 if you think you'll communicate with people who are
still on windows xp.
As long as you don't specifically want to protect your email against
government agencies or against criminals with tens of millions of
dollars available to break just your email, any of these algorithms
should be secure enough.
However, you create your CA for the next half decade or so, so you want
to be certain that your hashes are still secure five years from now. As
always, there's a tradeoff between security on the one hand, and ease of
use on the other.
At any rate, I'm glad you found the problem
dagdag
Christine
···
thank you for your help.
regards
Andreas Schubert
Transline Deutschland Dr.-Ing. Sturz GmbH
"Martijn Brinkers" <m.brinkers(a)pobox.com> wrote on 15.07.2009 21:58:29:
That's really strange. I have tested it with different windows xp
installations. Also others have been able to import the pfx without
problems. So the main question now is what's different in your setup?
I have seen problems installing certs in the past when access to the
registry was refused for some actions (the certs are imported into the
registry). Perhaps a virus scanner does not allow you to install a
root? What happens when you install only the root (as a cer file) into
the root store? Is it also installed into the intermediate store?