[openssl-users] Help with making a SHA >1 certificate

Charles Mills charlesm at mcn.org
Mon Nov 6 22:04:08 UTC 2017

Please forgive my ignorance here. I'm really not a certificate expert. I'm a
software developer trying to make certificates to use in a testing


I've got some scripts that I have been using for years. I've just upgraded
to 1.10f (but there are no upgrade issues that I know of - that's not the


My last test certificate expired. So I am trying to make another one. All I
seem to be able to make are SHA-1 signed certificates, but I'm trying to
load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I
think because of the SHA-1. Here is how I am making the certificate. What do
I have to do differently to make a SHA-512 (or at least some SHA > 1)


C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512 -keyout
%1.key.pem -out %1.req.pem -config openssl_edited_win32_default.cfg
-extensions usr_cert -reqexts usr_cert -nodes -days 3650

C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512

C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config
CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile
CMC_root.key.pem -passin pass:password


Here is what I end up with:


    Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charlesm at mcn.org, O=Charles Mills Consulting, LLC


            Not Before: Nov  6 19:13:09 2017 GMT

            Not After : Nov  6 19:13:09 2018 GMT

        Subject: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charlesm at mcn.org, O=CZAGENT_Nov2017

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)


While we're at it, why doesn't my -days 3650 seem to have any effect?






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171106/db602a2e/attachment.html>

More information about the openssl-users mailing list