Hashing Algorithms Allowed

Is it currently allowed for someone to choose their certificate to be signed using SHA-384 or SHA-512 yet? Are there plans to do so? If yes, approximately when?

@jsha Do you have any information?

1 Like

It’s not on the roadmap at the moment.

it would be great that if the algo is good (sha2) that it would just take the one from the CSR (I always make my CSRs SHA512)


It’s debatable whether this is correct or not. I once had the same question:

I came to the conclusion that it’s not a very good idea. Just to give you an example, gnutls shipped on most of ubuntu distributions are only capable of signing a CSR with SHA1. While this is fine for a CSR and generally irrelevant, as we all know SHA1 certificates are deprecated.

Therefore, reusing the same algorithm of the CSR may not be a good idea (and it can also cause unexpected and unintentional issues to less technical users).

I said IF the algo is good.

for bad algos just fall back to sha256 or whatever the default will be.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.