Problems in creating certificate with SHA256 / SHA512

0 votes
1 answer
4216 views
                          I want to generate a self-signed certificate with SHA256 or SHA512, but I have problems with it. I have created a script, which should does this automatically:


    #!/bin/bash
    
    set -e
    
    echo "WORKSPACE: $WORKSPACE"
    
    SSL_DIR=$(pwd)/httpd_ssl_certs
    OPENSSL_CNF=$(pwd)/openssl.cnf
    
    if [ -d "$SSL_DIR" ]; then
            rm -rvf "$SSL_DIR"
    fi

    mkdir -vp "$SSL_DIR"

    pushd "$SSL_DIR"

    # check if openssl.cnf exists
    if [ ! -f "$OPENSSL_CNF" ]; then
        echo "Could not find $OPENSSL_CNF. Build will be exited."
        exit 1
    fi

    echo " - create private key"
    openssl genrsa -out server.key.template 2048
    echo " - create signing request"
    openssl req -nodes -new -sha256 -config $OPENSSL_CNF -key server.key.template -out server.csr.template
    echo " - create certificate"
    openssl x509 -req -in server.csr.template -signkey server.key.template -out server.crt.template -extfile $OPENSSL_CNF

And I have a openssl.cnf file with configuration for it:

    [ ca ]
    default_ca                      = CA_default

    [ CA_default ]
    # how long to certify
    default_days                    = 365
    # how long before next CRL
    default_crl_days                = 30
    # use public key default MD
    default_md                      = sha256

    # keep passed DN ordering
    preserve                        = no

    policy                          = policy_anything

    [ policy_anything ]
    countryName                     = optional
    stateOrProvinceName             = optional
    localityName                    = optional
    organizationName                = optional
    organizationalUnitName          = optional
    commonName                      = optional
    emailAddress                    = optional

    [ req ]
    default_bits                    = 2048
    default_keyfile                 = server.key.template
    distinguished_name              = req_distinguished_name
    prompt                          = no
    encrypt_key                     = no
    # add default_md to [ req ] for creating certificates with SHA256
    default_md                      = sha256

    [ req_distinguished_name ]
    countryName                     = "AB"
    stateOrProvinceName             = "CD"
    localityName                    = "Some town"
    organizationName                = "XXX Y"
    organizationalUnitName          = "XXX Y"
    commonName                      = "localhost"
    emailAddress                    = "somemail@some.org"

When I run the script with this openssl.cnf, then I get a certifiacte, but this certificate is always encrypted with SHA1. I checked it with this command: openssl x509 -in server.crt.template -text -noout | grep 'Signature. I always get this output:

    Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

Can someone give me a hint, whats false there?
                        
Asked by devopsfun (1447 rep)
Oct 17, 2016, 12:17 PM
Last activity: Jun 21, 2025, 03:01 AM
Problems in creating certificate with SHA256 / SHA512

Related Questions
