When looking at the certificate chain for an EC signed domain using Comodo, we see the following hash and prime curves used. Here is a site for example:
Root SHA-384 Prime 384 bit (Browser Built in root)
EC CA SHA-384 Prime 256 bit (ComodoEC intermediary)
subject SHA-256 Prime 384 bit (calomel.org domain CRT)
Notice the Comodo EC root and intermediary use a SHA-384 hash, but the domain is using SHA-256. When submitting a CSR for a ECDSA certificate we hashed our CSR using SHA-384. When Comodo returns the domain’s CRT file, the subject hash has been downgraded to SHA-256.
First question, why is Comodo “downgrading” the domain’s crt from SHA-384 to SHA-256?
Here are the openssl commands used:
openssl ecparam -out mydomain_ssl.key -name secp384r1 -genkey
openssl req -new -sha384 -key mydomain_ssl.key -nodes -out mydomain.com_ssl.csr
openssl req -in mydomain.com_ssl.csr -text -noout
Second question, why would Comodo use a Prime 384 bit curve for the CA root, but a Prime 256 bit curve for the intermediary?
Thanks for your time.