<div dir="ltr">Charles, I am no expert either - sorry.<div><br></div><div>However, the question about why is your signed certificate at least not getting to be over 1 year in "length?" What is the duration of the CA's certificate?</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">--------------------------<br><font color="#000099" size="4">Warron French<br><font size="4"><font size="4"><font size="4"><br></font></font></font></font></div></div></div>
<br><div class="gmail_quote">On Mon, Nov 6, 2017 at 5:04 PM, Charles Mills <span dir="ltr"><<a href="mailto:charlesm@mcn.org" target="_blank">charlesm@mcn.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_-3925596800802755030WordSection1"><p class="MsoNormal">Please forgive my ignorance here. I’m really not a certificate expert. I’m a software developer trying to make certificates to use in a testing situation.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I’ve got some scripts that I have been using for years. I’ve just upgraded to 1.10f (but there are no upgrade issues that I know of – that’s not the problem).<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">My last test certificate expired. So I am trying to make another one. All I seem to be able to make are SHA-1 signed certificates, but I’m trying to load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I think because of the SHA-1. Here is how I am making the certificate. What do I have to do differently to make a SHA-512 (or at least some SHA > 1) certificate?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">C:\OpenSSL-Win32-110f\bin\<wbr>openssl.exe req -newkey rsa:2048 -sha512 -keyout %1.key.pem -out %1.req.pem -config openssl_edited_win32_default.<wbr>cfg -extensions usr_cert -reqexts usr_cert -nodes -days 3650<u></u><u></u></p><p class="MsoNormal">C:\OpenSSL-Win32-110f\bin\<wbr>openssl req -text -in %1.req.pem -sha512<u></u><u></u></p><p class="MsoNormal">C:\OpenSSL-Win32-110f\bin\<wbr>openssl.exe ca -in %1.req.pem -config CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile CMC_root.key.pem -passin pass:password<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Here is what I end up with:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"> Signature Algorithm: sha1WithRSAEncryption<u></u><u></u></p><p class="MsoNormal"> Issuer: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=<a href="mailto:charlesm@mcn.org" target="_blank">charlesm@<wbr>mcn.org</a>, O=Charles Mills Consulting, LLC<u></u><u></u></p><p class="MsoNormal"> Validity<u></u><u></u></p><p class="MsoNormal"> Not Before: Nov 6 19:13:09 2017 GMT<u></u><u></u></p><p class="MsoNormal"> Not After : Nov 6 19:13:09 2018 GMT<u></u><u></u></p><p class="MsoNormal"> Subject: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=<a href="mailto:charlesm@mcn.org" target="_blank">charlesm@<wbr>mcn.org</a>, O=CZAGENT_Nov2017<u></u><u></u></p><p class="MsoNormal"> Subject Public Key Info:<u></u><u></u></p><p class="MsoNormal"> Public Key Algorithm: rsaEncryption<u></u><u></u></p><p class="MsoNormal"> Public-Key: (2048 bit)<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">While we’re at it, why doesn’t my –days 3650 seem to have any effect?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks!<span class="HOEnZb"><font color="#888888"><u></u><u></u></font></span></p><span class="HOEnZb"><font color="#888888"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><i>Charles </i><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></font></span></div></div><br>--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>