is possible to generate certificates with SHA1 fingerprint ?

ivanfm · October 15, 2016, 7:28pm

According to the docs

http://wiki.mikrotik.com/wiki/Manual:System/Certificates
“All certificate fingerprints are SHA1. Starting from v6.18 sha256 is used for certificate fingerprints and hashes”

I’m using internal generated certificates with openvpn, and the “OpenVPN Connect” client does not support SHA256 certificates (they are working fine with OpenVPN for Android).

But I have some users that have only the “OpenVPN Connect”, I did not have tested with IOS, but apparently the IOS have only this client also.

Is there any undocumented way (or documented in any other place) to generate the SHA1 certificates inside mikrotik router instead of the SHA256 certificates , or maybe create the both signatures in the certificate ?

Thanks

MartijnVdS · October 15, 2016, 8:31pm

I think they disabled it, because of the SHA1 phase out - https://isc.sans.edu/forums/diary/SHA1+Phase+Out+Overview/20423/

So I think SHA1 is not going to be supported again.

ivanfm · October 16, 2016, 1:08am

I known it will be phase out, but the official client does not support in Android and Windows, this can be a big problem how we can have a very secure server if most of clients connect to it.