[openssl-users] Help with making a SHA >1 certificate

warron.french warron.french at gmail.com
Tue Nov 7 00:02:10 UTC 2017


Charles, I am no expert either - sorry.

However, the question about why is your signed certificate at least not
getting to be over 1 year in "length?"   What is the duration of the CA's
certificate?

--------------------------
Warron French


On Mon, Nov 6, 2017 at 5:04 PM, Charles Mills <charlesm at mcn.org> wrote:

> Please forgive my ignorance here. I’m really not a certificate expert. I’m
> a software developer trying to make certificates to use in a testing
> situation.
>
>
>
> I’ve got some scripts that I have been using for years. I’ve just upgraded
> to 1.10f (but there are no upgrade issues that I know of – that’s not the
> problem).
>
>
>
> My last test certificate expired. So I am trying to make another one. All
> I seem to be able to make are SHA-1 signed certificates, but I’m trying to
> load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I
> think because of the SHA-1. Here is how I am making the certificate. What
> do I have to do differently to make a SHA-512 (or at least some SHA > 1)
> certificate?
>
>
>
> C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512
> -keyout %1.key.pem -out %1.req.pem -config openssl_edited_win32_default.cfg
> -extensions usr_cert -reqexts usr_cert -nodes -days 3650
>
> C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512
>
> C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config
> CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile
> CMC_root.key.pem -passin pass:password
>
>
>
> Here is what I end up with:
>
>
>
>     Signature Algorithm: sha1WithRSAEncryption
>
>         Issuer: CN=Charles Mills Consulting, LLC, ST=California,
> C=US/emailAddress=charlesm at mcn.org, O=Charles Mills Consulting, LLC
>
>         Validity
>
>             Not Before: Nov  6 19:13:09 2017 GMT
>
>             Not After : Nov  6 19:13:09 2018 GMT
>
>         Subject: CN=Charles Mills Consulting, LLC, ST=California,
> C=US/emailAddress=charlesm at mcn.org, O=CZAGENT_Nov2017
>
>         Subject Public Key Info:
>
>             Public Key Algorithm: rsaEncryption
>
>                 Public-Key: (2048 bit)
>
>
>
> While we’re at it, why doesn’t my –days 3650 seem to have any effect?
>
>
>
> Thanks!
>
>
>
> *Charles *
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171106/4bf3db4d/attachment-0001.html>


More information about the openssl-users mailing list