{"id":5589,"date":"2016-02-04T10:06:05","date_gmt":"2016-02-04T02:06:05","guid":{"rendered":"http:\/\/rmohan.com\/?p=5589"},"modified":"2018-03-29T17:51:22","modified_gmt":"2018-03-29T09:51:22","slug":"openssl-certificate-request-with-sha256-signature","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5589","title":{"rendered":"OPENSSL CERTIFICATE REQUEST WITH SHA256 SIGNATURE"},"content":{"rendered":"

Technically at the moment there isn\u2019t anything really wrong with the SHA-1 hash function, but it is now quite old and is starting to show potential cracks. Hence the reason that the security industry is advising to move to something better. In this case SHA-256.<\/p>\n

1. Generate a SSL Key File<\/strong><\/p>\n

Firstly you will need to generate a key \u00a0file. The example below will generate a 2048 bit key file with a SHA-256 signature.<\/p>\n

\n
openssl genrsa -out key_name<\/var>.key 2048 <\/code><\/pre>\n<\/blockquote>\n
If you want extra security you could increase the bit lengths.<\/p>\n
\n
openssl genrsa -out key_name.key 4096<\/code><\/pre>\n<\/blockquote>\n
** Please note that both these examples will not add a password to the key file. To do that you will need to add -des3 to the command.<\/p>\n
2. Create a Certificate Signing Request (CSR)<\/strong><\/p>\n
This step will create the actually request file that you will submit to the Certificate Authority (CA) of your choice.<\/p>\n
\n
openssl req -out CSR.csr -key key_name.key -new -sha256<\/code><\/pre>\n<\/blockquote>\n
You can check that your Certificate Signing Request (CSR) has the correct signature by running the following.<\/p>\n
\n
openssl req -in CSR.csr -noout -text<\/code><\/pre>\n<\/blockquote>\n
It should display the following if the signature is correct.<\/p>\n
\n
Signature Algorithm: sha256WithRSAEncryption<\/code><\/pre>\n<\/blockquote>\n
3.\u00a0Install\u00a0the Certificate (CRT)<\/strong><\/p>\n
This step is very dependant of the software you use and I won\u2019t really cover. All I will say is that these certificates are supported by a multitude of software, including Apache HTTPD and NGINX.<\/p>\n
4. Test your installed Certificate<\/strong><\/p>\n
This step is extremely important and will show you any security problems with your SSL configuration.<\/p>\n
Qualys have a free hosted service that tests the SSL configuration of Internet facing web servers for SSL issues. The sites tested are rated from A to F, and a report is generated. This report is really useful for tuning your SSL configuration.<\/p>\n
https:\/\/www.ssllabs.com\/<\/a><\/p>\n
The SSL Labs tests are regularly updated when new issues are discovered. This means that if your server is rated as A today, next week it maybe rated as C<\/p>\n
 <\/p>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
2. Optional: Check to see if the CSR really has 256bit signatures<\/p>\n
openssl req -in CertificateRequest.csr -text -noout <\/b><\/p>\n
You should see \u201cSignature Algorithm: sha256WithRSAEncryption\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
3. Create the certificate<\/p>\n
We use the CSR and sign it with the private key and create a public certificate<\/p>\n
openssl x509 -req -days 365 -sha256 -in CertificateRequest.csr – signkey PrivateKey.key -out my256.crt <\/b><\/p>\n
4. Create PKCS key pair<\/p>\n
This combines the certificate with the private key to produce the public\/private key- pair and a password to allow import into PingFederate<\/p>\n
openssl pkcs12 -export -in my256.crt -inkey PrivateKey.key -out my256.p12 <\/b><\/p>\n
Enter Export Password:
\nVerifying – Enter Export Password: <\/b><\/p>\n
Use this password when importing the certificate into PingFederate<\/p>\n
5. You now have 2 certificates<\/p>\n
my256.crt<\/b> -this is the public key to give to the partner
\nmy256.p12<\/b> – signed private \/ public key for PingFederate \u201cDigital Signature Settings\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
<\/h5>\n<\/div>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Technically at the moment there isn\u2019t anything really wrong with the SHA-1 hash function, but it is now quite old and is starting to show potential cracks. Hence the reason that the security industry is advising to move to something better. In this case SHA-256.<\/p>\n
1. Generate a SSL Key File<\/p>\n
Firstly you will need […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5589"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5589"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5589\/revisions"}],"predecessor-version":[{"id":7292,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5589\/revisions\/7292"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}