SSL certificate for Domino with SHA-1 hash rather than flawed MD5?

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)

Subject: SSL certificate for Domino with SHA-1 hash rather than flawed MD5?

Feedback Type: Problem

Product Area: Domino Server

Technical Area: Administration

Platform: ALL

Release: 8.5.1

Reproducible: Always

Has anyone succeeded in creating a Domino server certficate request (CSR) with SHA-1 hashes instead of MD5? I'm trying to get a Domino CSR signed by a browser-recognised CA but they reject the request with the message

"A weakness in the MD5 cryptographic hash function allows the construction of different messages with the same MD5 hash. This is known as an MD5 "collision". StartCom disallows the use of MD5 hash signatures for all end-user certificates. SHA1 or better should be used instead."

I followed some suggestions on the Internet, including the most promising one from http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments
but the last bit fails probably because that version of ikeyman doesn't support SHA-1. For some reason the latest version of ikeyman (included in Domino 8.5.1) doesn't seem to support the Domino kyr key ring files.

Domino folks - anyone managed to get around this problem?

IBM - any plans to change the hash algorithm to something less depreciated?

Feedback number WEBB83SRUT created by ~Keiko Xanhipiverakol on 03/22/2010

Status: Open
Comments: