[openssl-users] Help with making a SHA >1 certificate
Charles Mills
charlesm at mcn.org
Mon Nov 6 22:04:08 UTC 2017
Please forgive my ignorance here. I'm really not a certificate expert. I'm a
software developer trying to make certificates to use in a testing
situation.
I've got some scripts that I have been using for years. I've just upgraded
to 1.10f (but there are no upgrade issues that I know of - that's not the
problem).
My last test certificate expired. So I am trying to make another one. All I
seem to be able to make are SHA-1 signed certificates, but I'm trying to
load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I
think because of the SHA-1. Here is how I am making the certificate. What do
I have to do differently to make a SHA-512 (or at least some SHA > 1)
certificate?
C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512 -keyout
%1.key.pem -out %1.req.pem -config openssl_edited_win32_default.cfg
-extensions usr_cert -reqexts usr_cert -nodes -days 3650
C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512
C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config
CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile
CMC_root.key.pem -passin pass:password
Here is what I end up with:
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charlesm at mcn.org, O=Charles Mills Consulting, LLC
Validity
Not Before: Nov 6 19:13:09 2017 GMT
Not After : Nov 6 19:13:09 2018 GMT
Subject: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charlesm at mcn.org, O=CZAGENT_Nov2017
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
While we're at it, why doesn't my -days 3650 seem to have any effect?
Thanks!
Charles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171106/db602a2e/attachment.html>
More information about the openssl-users
mailing list