Creating an TLS certificate using keytool with SHA-256

Question

I want to create a TLS certificate for my personal tomcat8 webserver on a Debian ARM server. I've done this before, using the following command:

/usr/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/keystore/keystore_tomcat

I have the Calomel addon installed in Firefox, and this reports a 93% score, with all options except one having a 100% score. For the field MAC it reports 8/15 and SHA-1. I would like to use SHA-256 or the best alternative that is available.

What option do I need to get keytool to use SHA-256?

What does Calomel say in the "Ciphersuite" line? Do you have a screenshot? — StackzOfZtuff, Sep 12 '15 at 14:11
I've added a screenshot. It says `TLS_ECDHE_RSA_WITH_AES_128_cbc_SHA`. — SPRBRN, Sep 12 '15 at 14:23

score 4 · Accepted Answer · answered Sep 12 '15 at 14:28

4

Your certificate is already signed with SHA-256. (So the keytool part seems to have worked.)

It's just that your browser and your Tomcat server have negotiated a cipher suite where SHA1 is used as a MAC.

Same crypto building block, different use. You just need to find a way to tell Tomcat to prefer a SHA256 ciphersuite. (This blog might help: Mike Noordermeer, 2014-02-05, SSL/TLS, ciphers, perfect forward secrecy and Tomcat. Archived here.)

answered Sep 12 '15 at 14:28

StackzOfZtuff

17,783
1
50
86

Although if that tool is rating the hash in a *root* signature as relevant to security, it is very wrong and you should not trust its results. OTOH it apparently ignores the fact the cert is expired, which in general (not certs personally generated by the user) is a much worse risk than SHA1 HMAC. – dave_thompson_085 Sep 15 '15 at 15:10
@dave_thompson_085: yeah. Ugly. Didn't notice. But I hadn't heard about that addon before either. – StackzOfZtuff Sep 15 '15 at 15:46

Creating an TLS certificate using keytool with SHA-256

1 Answers1