OpenSSL CA to sign CSR with SHA256 – Sign CSR issued with SHA-256

Published by Tobias Hofmann on

2 min read

The overall process is:

  1. Create CA
    1. Private CA key
      1. Create private key
      2. Check private key
    2. Public CA certificate
      1. Create public certificate
      2. Check public certificate
  2. Sign CSR
    1. SHA-1
      1. Create CSR using SHA-1
      2. Check CSR
      3. Sign CSR enforcing SHA-256
      4. Check signed certificate
    2. SHA-256
      1. Create CSR using SHA-256
      2. Check CSR
      3. Sign CSR
      4. Check signed certificate

Sign CSR request – SHA-256

When a CSR is created a signature algorithm can be specified. Currently, this should be SHA-256. Installing a TLS certificate that is using SHA-256 ensures that browsers like Chrome, Firefox, etc won`t show a security warning to the user. Signing the CSR using the CA is straight forward.

Create CSR using SHA-256

openssl req -out sha256.csr -new -newkey rsa:2048 -nodes -keyout sha256.key -sha256

The command creates two files: sha256.key containing the private key and sha256.csr containing the certificate request.

Check CSR

openssl req -verify -in sha256.csr -text -noout

The signature algorithm of the CSR is SHA-256

Sign CSR

Singing the CSR using the CA

openssl x509 -req -days 360 -in sha256.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out sha256.crt

This will sign the CSR using SHA-256 as provided by CSR.

Check signed certificate

openssl x509 -text -noout -in sha256.crt

The certificate is signed using SHA-256.

Possible problem: the certificate may be signed using SHA-1.

Why is the certificate signed with SHA1? Without providing –sha256 parameter, openssl is using the default value. Depending on the version of openssl you are using, the default may be using SHA-1. This is the case when you use the default openssl binary available on MacOs.

openssl version –a

This version is old. Better to install a newer one using brew.

After updating, the default algorithm is SHA-256 and not SHA-1 anymore. In case you cannot update the default openssl binary, install a newer version to a different location and use that one.

Let the world know
Categories: Technology
Tags:

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

2 Comments

Ben · March 12, 2021 at 18:25

Please note that the first command under “Create CSR – SHA-256” has a Unicode dash in the “-sha256” part. Copy-pasting it won’t work. Instead, retype it

Reply

    Tobias Hofmann · March 13, 2021 at 09:05

    Hi Ben,
    thanks for finding this. I fixed the text, it is working now with copy&paste.

    Reply

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

SAP Technology

Access to S/4HANA tutorials

5 min readQuick Tour is a feature from the FLP and part of user assistance. It can add tremendous value and is also featured in the SAP Learning course: Learning the Basics of SAP Fiori. Read more…

SAP Technology

Where is BAS 3.0?

3 min readRecently I faced a problem with SAP Business Application Studio. For solving it, I used Google. And I found an SAP Note: 3030549. The note contains a section about the affected products. Of Read more…

Technology

OData V4 service group is not published

5 min readScenario You want to connect the Fiori tools (BAS or VS Code) to your S/4HANA system. Problem The wizard for configuring / connecting the S/4HANA system shows an error for OData v4 services Read more…