I just changed “md5(…)” to “shall(…)” and added an object id to the table.  Once I figured out I didn’t have to us RSA to *sign* the CSR, but had to have something other than md5, it was easy.

> On May 26, 2015, at 2:00 PM, lucio@proxima.alt.za wrote:
>
>> I now have reason to believe that they just removed MD5 from known
>> signing algorithms, and that a SHA1 will work.  Anyone know anything
>> about this?
>
> There's an exploit for the MD5 version.  It looks pretty serious and
> deserves to be fixed by disabling the MD5 signing algorithm.
>
>       www.phreedom.org/research/rogue-ca/
>
> What exactly did you change in /sys/src/libsec/port/x509.c?  I had a
> quick look this morning, but I didn't have the opportunity to dig deep
> enough.
>
> Lucio.
>
>