Generating an SHA256 SSL CSR on CentOS/RHEL using genkey

The officially recommended method of generating a web server SSL certificate CSR (according to RHEL6 and CentOS 6 documentation) is to use the genkey utility. When used according to the docs, this produces a CSR with an SHA1 signature. Our CA has requested a CSR with an SHA256 signature (because we want an SHA256 SSL cert as per the new chrome/ie browser requirements). I've not been able to find any docs on how to do this using genkey. I tried the --sha256 command line flag but it's not recognized by genkey. Can anyone describe how to do this?

The interactive genkey command wont give you the option to change the defaults, but you should be able to update your /etc/pki/tls/openssl.cnf if you really want to use that command.

Change:

default_md = sha1

To:

default_md = sha256

Or you can use the openssl command direct. If the hashing algorithm is set to SHA1 by default, you can use the switch -sha256 to force SHA2.

openssl req -new -sha256 -key private.key > new_sha256.csr

The signature you are referring to is found in the SSL Certificate, not the CSR. This is why you can't find the option. :)

What you need to do is make sure your Certificate Issuer is generating your certs based off of your CSR with the correct options. The exact method to do so changes from CA to CA. For example, GoDaddy generally have a drop-down box on the certificate request screen right under where you paste your CSR, and you can select SHA-1 or SHA-2(which will generate the SHA256 cert).