Geek Answers Handbook

How to convert a signed SHA256RSA server certificate to SHA1RSA?

I am creating a private key with keystore tomcat. After the certificate request is generated and sent, the server certificate seems to have the SHA256RSA signature algorithm and ultimately gives "the chain cannot be established from the response error." Indigenous and intermediate certificates are all SHA1RSA. When generating a key pair and requesting a certificate, it was defined as SHA1RSA as a signature algorithm.

Can anyone help how to create a server certificate using SHA256RSA?

Here are the steps that I followed (broken into several lines for readability):

keytool -genkey -dname "CN=xxxx, OU=Servers, O=xx, C=US" \ -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keysize 2048 \ -keypass xxx -keystore tomcat2k.keystore keytool -certreq -v -alias tomcat -keyalg RSA -sigalg SHA1withRSA \ -keysize 2048 -keypass xxx -file certreq.csr -keystore tomcat2k.keystore

Certificates received: Root, Intermediate (both SHA1RSA) and Sever (SHA256RSA) Root.

An intermediate value is imported. The server certificate cannot establish the chain.

+4
source share
1 answer

If you have access to openssl, I recommend using this instead of keytool. If you create a certificate signing request, use the -sha256 option to set the hash algorithm you are looking for.

First create a certificate signing request:

 $ openssl genrsa -des3 -out server.key 4096 $ openssl req -new -key server.key -out server.csr -sha256

You have a certificate signing request that you optionally signed with a CA. If you want to use a self-signed certificate, you can use the following, otherwise skip this step:

 $ openssl genrsa -des3 -out ca.key 4096 $ openssl req -new -x509 -days 365 -key ca.key -out ca.pem $ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem

Finally, convert the certificates signed by the server.pem certificate to p7b, as tomcat expects, and then import p7b into the tomcat repository.

 $ openssl crl2pkcs7 -nocrl -certfile server.pem -out tomcat2k.p7b -certfile ca.pem $ keytool -import -trustcacerts -alias server -file tomcat2k.p7b -keystore tomcat2k.jks
0
source

More articles:


All Articles