RSA with SHA1 signature
RSA with SHA224 signature
RSA with SHA256 signature
RSA with SHA384 signature
Sub-CA with 2049 bit
This is a collection of sample installations of X.509 certificates with various uncommon / new cryptographic algorithms that aren't widely used yet.
To test the certificates below, you need to install the root CA certificate. WARNING: This CA is purely used for tests on this webpage. I make no claims regarding the security and trustworthyness of it. You should remove it from your browser once you're finished.
Ideas for further tests are welcome
These are more or less default RSA certificates. This is mainly to test if you have successfully installed the root certificate.
RSA with MD5 signature
RSA with SHA1 signature
RSA with SHA224 signature
RSA with SHA256 signature
RSA with SHA384 signature
Sub-CA with 2049 bit
PSS stands for "Probabilistic Signature Scheme" and is an improved, provable-secure padding scheme for RSA. It's use in X.509 is specified in RFC 4055. It contains a parameter block that allows to specify the used hash algorithm for the input, mask generation function (only MGF1 possible), hash algorithm for the mask generation function and salt length.
RSASSA-PSS with common options (SHA512, MGF1+SHA512, salt 32 bit)
RSASSA-PSS with differing hashes (SHA256, MGF1+SHA512, 32 bit salt)
RSASSA-PSS with default-settings (SHA1, MGF1+SHA1, salt 32 bit)
RSASSA-PSS with differing hashes (SHA384, MGF1+SHA1, salt 32 bit)
RSASSA-PSS with SHA-224
SubCA using dedicated RSASSA-PSS public key
RSASSA-PSS signature with RSA 2049 bit key (keysize n*8+1)
RSASSA-PSS signature with RSA 2055 bit key (keysize n*8-1)
RSASSA-PSS signature from sub-CA with RSA 2049 bit key (keysize n*8+1)
RSASSA-PSS signature from sub-CA with RSA 2055 bit key (keysize n*8-1)
TODO: broken samples (e.g. with MD5), subca with uncommon keysize (2041, 2047), ...
Cryptography based on elliptic curves claims to bring improved security with much smaller keys and thus improved performance. ECDSA within X.509 is specified in RFC 5758.
FIXME: Nothing here works yet
ECDSA with NIST curve secp521r1
TODO: subca with ec+ec, subca with ec+rsa, brainpool curves, binary field curves.
openpgp-certificates, ntru (no rfc, patented), randomized hashing (no rfc), uncommon keysizes (mod8+1/7 bit), DSA, ...
This page was set up by Hanno Böck. The image used is the Jabberwocky.
