Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Duplicate
-
None
-
None
-
None
-
None
-
Platform Core
-
1
Description
Certificate revocation lists are always signed with SHA1WithRSAEncryption, but when signing certificate signing requests and certificates, we default to SHA256WithRSAEncryption. If SHA256 is not available, we fall back to SHA1WithRSAEncryption.
We should refactor the CRL code to use the CertificateSigner code so that we use more secure defaults.