OpenSSL CA to sign CSR with SHA256 – Sign CSR issued with SHA-256

The overall process is:

  1. Create CA
    1. Private CA key
      1. Create private key
      2. Check private key
    2. Public CA certificate
      1. Create public certificate
      2. Check public certificate
  2. Sign CSR
    1. SHA-1
      1. Create CSR using SHA-1
      2. Check CSR
      3. Sign CSR enforcing SHA-256
      4. Check signed certificate
    2. SHA-256
      1. Create CSR using SHA-256
      2. Check CSR
      3. Sign CSR
      4. Check signed certificate

Sign CSR request – SHA-256

When a CSR is created a signature algorithm can be specified. Currently, this should be SHA-256. Installing a TLS certificate that is using SHA-256 ensures that browsers like Chrome, Firefox, etc won`t show a security warning to the user. Signing the CSR using the CA is straight forward.

Create CSR using SHA-256

openssl req -out sha256.csr -new -newkey rsa:2048 -nodes -keyout sha256.key –sha256

The command creates two files: sha256.key containing the private key and sha256.csr containing the certificate request.

Check CSR

openssl req -verify -in sha256.csr -text -noout

The signature algorithm of the CSR is SHA-256

Sign CSR

Singing the CSR using the CA

openssl x509 -req -days 360 -in sha256.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out sha256.crt

This will sign the CSR using SHA-256 as provided by CSR.

Check signed certificate

openssl x509 -text -noout -in sha256.crt

The certificate is signed using SHA-256.

 

 

 


Possible problem: the certificate may be signed using SHA-1.

Why is the certificate signed with SHA1? Without providing –sha256 parameter, openssl is using the default value. Depending on the version of openssl you are using, the default may be using SHA-1. This is the case when you use the default openssl binary available on MacOs.

openssl version –a

This version is old. Better to install a newer one using brew.

After updating, the default algorithm is SHA-256 and not SHA-1 anymore. In case you cannot update the default openssl binary, install a newer version to a different location and use that one.

OpenSSL CA to sign CSR with SHA256 – Create CA

The overall process is:

  1. Create CA
    1. Private CA key
      1. Create private key
      2. Check private key
    2. Public CA certificate
      1. Create public certificate
      2. Check public certificate
  2. Sign CSR
    1. SHA-1
      1. Create CSR using SHA-1
      2. Check CSR
      3. Sign CSR enforcing SHA-256
      4. Check signed certificate
    2. SHA-256
      1. Create CSR using SHA-256
      2. Check CSR
      3. Sign CSR
      4. Check signed certificate

Create a CA

To have a private CA with openssl, at least two steps are need: you need to create a private key and a public certificate. The public certificate will be used to sign CSRs.

Private CA key

Create private key

openssl genrsa -aes256 -out ca.key.pem 4096

The command will generate a private key using random data and ask you to provide a pass phrase. While possible to enter an empty pass phrase, it is highly recommended to provide one. In my test case, I simply use “test”. Remember: it is not a password, but a phrase. If you want, go crazy and use a full sentence.

Check private key

This creates a pass phrase protected private key. The key is password protected. This can easily be seen by opening the key and checking for the —–BEGIN RSA PRIVATE KEY—– section.

To validate that everything is OK with the private key, openssl can be used

openssl rsa –in ca.key.pem -check

The output prints RSA key ok.

Public CA certificate

Create public certificate

openssl req -key ca.key.pem -new -x509 -days 5000 -sha256 -extensions v3_ca -out ca.cert.pem

You`ll need to inform the pass phrase of the private key as well as some additional administrational data like the location of the server.

This created a new certificate for the CA using the private key.

Check public certificate

openssl x509 -in ca.cert.pem -text -noout

The Signature Algoritm is using SHA-256.

Using the above two commands, a private key and public certificate with usage type for CA was created. This certificate can now be used to sign CSR requests.