Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates

Keith C. Perry on 14 Dec 2015 09:11:33 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates

From: "Keith C. Perry" <kperry@daotechnologies.com>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates
Date: Mon, 14 Dec 2015 12:11:25 -0500 (EST)
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
Thread-index: KmKcKF+tyEc9GDVVAj2m7rPwU0N8dQ==
Thread-topic: Moving from SHA1 to SHA2 for self-signed certificates

Ok, just quickly looking back at my notes on this, the key facilities to be concerned with are:

openssl req (allows you to create a self-signed CA)
openssl x509 (allows you to sign the CSR you created with your CA)

In both cases if you run those commands with a bad options (i.e. do "openssl req help" and "openssl x509 help" you will get back all the valid parameters, including which messages digests are valid.

That said, on my Kubuntu 14.04 LTS system, running OpenSSL 1.0.1f 6 Jan 2014 I only have sha1 MACs available.

This is weird because according to this link from 2014:

http://techglimpse.com/sha256-hash-certificate-openssl/

OpenSSL 0.9.7h has sha2 algorithm support but when I look at my x509 parameter the "-nodes" one is missing.  According to "openssl dgst --help" I do have sha2 support.

Strange that-

I'm going to have to dig into this myself or just compile OpenSSL but YMMV.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Owner, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167 
www.daotechnologies.com

----- Original Message -----
From: "Michael Leone" <turgon@mike-leone.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Monday, December 14, 2015 11:33:38 AM
Subject: Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates

On Mon, Dec 14, 2015 at 11:18 AM, Keith C. Perry
<kperry@daotechnologies.com> wrote:
>
> I'm going to guess that we are talking about certificates you have been signing for HTTPS use but if not please identify the use case(s).

Yep, HTTPS ...

> How did you issue them the first time?  OpenSSL?

Yes, OpenSSL 0.9.8g on Ubuntu 9.10 (yes, it's old, but I only use it
for the occasional certificate, and internal SFTP server).
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Moving from SHA1 to SHA2 for self-signed certificates
  - From: Michael Leone <turgon@mike-leone.com>
- Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates
  - From: "Keith C. Perry" <kperry@daotechnologies.com>
- Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates
  - From: Michael Leone <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] Looking for dvd shrink software
Next by Date: Re: [PLUG] Looking for dvd shrink software
Previous by thread: Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates
Next by thread: Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates
Index(es):
- Date
- Thread