OpenSSL CA to sign CSR with SHA256 – Sign CSR issued with SHA-1

Published by Tobias Hofmann on

1 min read

The overall process is:

  1. Create CA
    1. Private CA key
      1. Create private key
      2. Check private key
    2. Public CA certificate
      1. Create public certificate
      2. Check public certificate
  2. Sign CSR
    1. SHA-1
      1. Create CSR using SHA-1
      2. Check CSR
      3. Sign CSR enforcing SHA-256
      4. Check signed certificate
    2. SHA-256
      1. Create CSR using SHA-256
      2. Check CSR
      3. Sign CSR
      4. Check signed certificate

Sign CSR request – SHA-1

When a CSR is created, a signature algorithm is used. Normally, this is SHA-1. Installing a TLS certificate that is using SHA-1 will give some problems, as SHA-1 is not considered secure enough by Google, Mozilla, and other vendors. Therefore, the final certificate needs to be signed using SHA-256. In case the CSR is only available with SHA-1, the CA can be used to sign CSR requests and enforce a different algorithm.

Create CSR using SHA-1

openssl req -out sha1.csr -new -newkey rsa:2048 -nodes -keyout sha1.key

The command creates two files: sha1.key containing the private key and sha1.csr containing the certificate request.

Check CSR

openssl req -verify -in sha1.csr -text -noout

The signature algorithm of the CSR is SHA-1

Sign CSR enforcing SHA-256

Singing the CSR using the CA

openssl x509 -req -days 360 -in sha1.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out sha1.crt -sha256

This will sign the CSR using SHA-256.

Check signed certificate

openssl x509 -text -noout -in sha1.crt

The certificate`s signature algorithm is using SHA-256. The original CSR`s signature algorithm was SHA-1, but the resulting algorithm is now SHA-256. Even when you cannot change to SHA-256 during CSR creation, or the CSR is only available in SHA-1, it is still possible to change the SHA-256 during the signing process of the CA.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.