How to create TLS SHA256 certificate request
One of our business partners is requesting us to use a TLS SHA256 certificate to connect to their APIs. I am not sure how to generate these requests. I have used openssl in the past to create these requests but it generated an SSL certificate using SHa1. Can I use openssl to generate this request? If not how do I generate what they are asking for?
I am no expert in this field so I don't even know if what I am asking makes sense.
CSR hash and cert hash not related
The hash type on the request and on the actual certificate are not related to one another.
The CA checks the signature on the CSR. That way, the CA can verify that the CSR was not changed in transit. That's all the signature on the CSR does.
There is no official (or even semi-official) in-band way of telling a CA what hash you want. Instead a CA company may run multiple CAs, one of which exclusively uses SHA256. And if you want SHA256, then you submit your CSR on the website of that one specific SHA256-only-CA. (And not on their SHA1-CA's website.)
What is often theorised is something like this: "If I submit a CSR signed with SHA1, then my cert will be signed with SHA1." This isn't usually done. (The only CA I know of that used to do this for some time was Gandi.net.)
How to sign a CSR with SHA256
That being said, use the -sha256
parameter to sign your CSR with SHA256 like so:
openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.example.com.sha256.csr -keyout www.example.com.key -subj "/C=US/ST=ExampleState/L=ExampleLocation/O=ExampleOrganisation/CN=www.example.com"
How the check the hash type of a CSR
And this is how you find out the hash type of your CSR:
$ openssl req -in www.example.com.sha256.csr -noout -text | grep Signature
Signature Algorithm: sha256WithRSAEncryption
Good. It's using SHA256 just like we wanted.
If you're using OpenSSL, you can simply add the -sha256
command line option, which will generate the CSR with the SHA-256 signature algorithm.