Versions Compared

Old Version 17

changes.mady.by.user Unknown User (swinter)

Saved on

compared with

New Version 18

changes.mady.by.user Unknown User (swinter)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PropertyContentRemarks
signature algorithmSHA-1 or higher

Server certificates signed with the signature algorithm MD5 are considered invalid by many modern operating systems, e.g. Apple iOS 6.x and above. Having a server certificate (or an intermediate CA certificate) with MD5 signature will create problems on these operating systems.

Apparently, no operating system as of yet has an issue with the root CA being self-signed with MD5. This may change at any point in the future though, so when creating a new CA infrastructure, be sure not to use MD5 as signature algorithm anywhere.

length of public key1024 Bit or higherServer certificates with a length of the public key below 1024 bit are considered invalid by some recent operating systems, e.g. Windows 7 and above. Having a server certificate (or an intermediate CA certificate) with MD5 signature a too small public key will create problems on these operating systems.
Extension: Extended Key UsageTLS Web Server AuthenticationEven though the certificate is used for EAP purposes, some popular operating systems (i.e. Windows XP and above) require the certificate extension "TLS Web Server Authentication" (OID: 1.3.6.1.5.5.7.3.1) to be present. Having a server certificate without this extension will create problems on these operating systems.
Extension: CRL Distribution PointHTTP/HTTPS URI pointing to a valid CRL

Few very recent operating systems require this extension to be present; otherwise, the certificate is considered invalid. Currently, Windows Phone 8 is known to require this extension; Windows 8 can be configured to require it.

These operating systems appear to only require the extension to be present; they don't actually seem to download the CRL from that URL and check the certificate against it. One might be tempted to fill the certificate extension with a random garbage (or intranet-only) URL which does not actually yield a CRL; however this would make the certificate invalid for all operating systems which do evaluate the extension if present. So the URL should be a valid one.

...