OpenSSL how to sign a certificate with SHA256

Question

OpenSSL how to sign a certificate with SHA256

I would like to know how to use openSSL tools to sign a certificate signing request using sha256 as a digest message.

I do not quite understand if the digest is already calculated in the request, or if it is calculated by the CA.

To create a query, the req tool lets you specify which message digest to use, and -sha256 is an option.

However, openSSL provides two tools for signing requests: ca and x509 . However, none of them allows you to use sha256. According to official documentation, ca only supports md5, sha1 and mdc2. x509 only supports md2, md5, sha1, mdc2.

Thank.

+4

ssl openssl ssl-certificate sha256

Jacques Feb 04 '15 at 23:48

source share

1 answer

ice13berg · Accepted Answer · 2015-02-05T09:39:57+0000

I think the documentation may be old. I believe that it works, although it may or may not use the switch -md. Have you tried it yet?

According to this thread , sha2 support was enabled by default some time ago. Therefore, there is no reason why he should not work.

Indeed, this thread shows the user with help -md sha256with the command ca.

In addition, this thread seems to confirm that the sha256 switch can be enabled in the file openssl.cnfas default_mdfor CA.

--help.

!

OpenSSL how to sign a certificate with SHA256

More articles: