Warnings

Below are explanations of the warnings you may see when using our CSR and Certificate Decoders.

The Certificate uses an MD5 Based Signature

This warning is given if the MD5 hash algorithm has been used to create the certificate's signature. The MD5 hash function has known weaknesses that can be exploited and it should therefore no longer be used when signing certificates. Researchers recently created a rogue CA certificate by exploiting a CA that issued MD5-based certificates. See this paper for more details. Our Certificate Decoder issues a warning when it encounters an MD5 based certificate.

The CSR has an Invalid Signature

The decoder checks the signature over the CSR and issues this warning if the signature is invalid. An invalid signature indicates the CSR is corrupt or the signature was created with a private key not associated with the public key in the CSR.

The CSR DN Contains Empty Values

You will see this warning if the CSR distinguished name contains a field with no value. For example, the decoder would issue a warning about the distinguished name given below because there is an empty locality field.

CN=www.acme.com,OU=widgets,O=acme,L=,ST=staffordshire,C=gb

If the subject field contains empty values the CSR may be rejected by the CA. The Verisign CA, for example, requires all the following fields to be present and to contain information:

• Country
• State
• Locality
• Organisation
• Organisation Unit
• Common Name