34

Can a CSR be created in OpenSSL with SHA2? If so, what would the command be and what does this tell the CA, if anything? If you could create a CSR using SHA2 would it "tell" the signing CA to use it on the entire cert chain?

user53029
  • 2,657
  • 5
  • 24
  • 35
  • For what it's worth, I don't remember the details, but I've had no problems going SHA-2 with my CAs. They offer SHA-1 or SHA-2 as a choice when ordering or take the hint from the CSR; and they provide a fully SHA-2 chain, by default or at least as an alternate download. – Matt Nordhoff Aug 13 '14 at 04:28

1 Answers1

38

You can add, for example the -sha256 flag to the OpenSSL command line when generating the CSR. I don't believe any CA will change how they sign your CSR based on this, and it certainly won't affect the certificate chain. They're not resigning the cert chain for each key, the only signature operation they do is on your CSR itself. Any intermediate/root CAs provided will be exactly the same for all customers.

David
  • 15,814
  • 3
  • 48
  • 73
  • 5
    Yes, I was able to use the command openssl req -sha256 -new -key fd.key -out fd.csr to get a SHA2 CSR. If it has no bearing on how the CA signs the cert, then what are the use cases for creating a CSR with SHA2-256/384/512? I'm not clear on why its used. – user53029 Aug 13 '14 at 04:17
  • I suppose its hashed to prevent attackers from extracting the private key from it? – user53029 Aug 13 '14 at 04:27
  • 1
    No, RSA keeps your private key safe by nature. That's what it's for. :-) RSA can only sign relatively small things, so you hash the data and sign the conveniently-sized hash. – Matt Nordhoff Aug 13 '14 at 05:23
  • 15
    StartSSL certificates apparently respect the CSR SHA type, as I just had to resubmit a CSR but generated with `-sha256` in order to get the SHA2 cert back. – Charlie Gorichanaz Oct 16 '14 at 05:40
  • Not an available flag if you generate the CSR from an existing cert using `openssl x509 -x509toreq -in my.crt -signkey my.key -out my.csr` – Snekse Sep 17 '15 at 18:16
  • @Snekse It's not available on `req`, but it is available on `req`. For example: `openssl x509 -x509toreq -in my.crt -signkey my.key -sha256 -out my.csr` – TimZehta Jun 27 '18 at 16:14