Keith C. Perry on 14 Dec 2015 09:11:33 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates |
Ok, just quickly looking back at my notes on this, the key facilities to be concerned with are: openssl req (allows you to create a self-signed CA) openssl x509 (allows you to sign the CSR you created with your CA) In both cases if you run those commands with a bad options (i.e. do "openssl req help" and "openssl x509 help" you will get back all the valid parameters, including which messages digests are valid. That said, on my Kubuntu 14.04 LTS system, running OpenSSL 1.0.1f 6 Jan 2014 I only have sha1 MACs available. This is weird because according to this link from 2014: http://techglimpse.com/sha256-hash-certificate-openssl/ OpenSSL 0.9.7h has sha2 algorithm support but when I look at my x509 parameter the "-nodes" one is missing. According to "openssl dgst --help" I do have sha2 support. Strange that- I'm going to have to dig into this myself or just compile OpenSSL but YMMV. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Owner, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com ----- Original Message ----- From: "Michael Leone" <turgon@mike-leone.com> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> Sent: Monday, December 14, 2015 11:33:38 AM Subject: Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates On Mon, Dec 14, 2015 at 11:18 AM, Keith C. Perry <kperry@daotechnologies.com> wrote: > > I'm going to guess that we are talking about certificates you have been signing for HTTPS use but if not please identify the use case(s). Yep, HTTPS ... > How did you issue them the first time? OpenSSL? Yes, OpenSSL 0.9.8g on Ubuntu 9.10 (yes, it's old, but I only use it for the occasional certificate, and internal SFTP server). ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug