Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How can I disable MD5 signature algorithm on Firefox when creating a CSR?

  • 3 replies
  • 3 have this problem
  • 1 view
  • Last reply by naldiello

more options

I'm trying to create a CSR (Certificate Signing Request) in a website using Firefox. When Firefox creates the pair of keys, it signs the CSR using MD5WithRSAEncryption. Due to FIPS compliance, the Certification Authority does not accept md5WithRSAEncryption. The CSR must be signed with sha1WithRSAEncryption.

I'm trying to create a CSR (Certificate Signing Request) in a website using Firefox. When Firefox creates the pair of keys, it signs the CSR using MD5WithRSAEncryption. Due to FIPS compliance, the Certification Authority does not accept md5WithRSAEncryption. The CSR must be signed with sha1WithRSAEncryption.

All Replies (3)

more options

hello, this is quite a detailed request, i'm not sure if something can be done about it within the current firefox preferences - here on the forums we're primarily focused on fixing "solvable" issues. you might want to file a bug report for this issue at https://bugzilla.mozilla.org instead, so that it will gain the attention of developers...

more options

I haven't dealt with CSR's too much, but is there a particular reason you're using Firefox to do this?

At least for SSL certificates, shouldn't this be done on the server?

more options

Hi madperson,

I believe I will report this as a bug since the changes I made should resolve this issue. Furthermore, Mozilla published that they will not be using MD5 signatures as off 2010 (https://wiki.mozilla.org/CA:MD5and1024).

In regards to yalam96's question: Depending on the use and application, some key pairs and CSR can be generated on the server side. For critical applications, such as financial applications, key pair should/must be generated on the client-side (browser) and CSR on the server, that way the CA is never in possession of the client's private key.

N.