3

This might be me having done it wrong. I recently used OpenSSL to convert a .cer to .pem using this -

openssl x509 -inform der -in certificate.cer -out certificate.pem

(And then loaded the .pem onto the loadbalancer)

However the client browser (chrome) reports it's SHA-1 and although it works, (connectivity wise) it doesn't look good. Plus SHA-1 is old/being phased out.

Is this because of the openssl command I used? Should I have used -sha256 in my openssl command (from a quick googling around)

As you can tell, bit new to certificates!

mrchinchin25
  • 33
  • 1
  • 4

1 Answers1

3

The "SHA-1" or "SHA-256" mentioned in Chrome is the hash that was used by the CA (Certification Authority) to create the signature on the certificate. The command you ran doesn't change the certificate at all, it merely changes the file format used (.cer is just the raw ASN.1 encoded certificate data; .pem is a base64-encoded form of the same ASN.1 data). The hashing scheme used for the signature is unrelated to the file formats.

If you want a SHA-256 certificate, you'll need to have one issued by a CA. These days, it's pretty much guaranteed that you'll get a SHA-256 certificate, because SHA-1 is very, very deprecated (hence why Chrome is warning you about it).

womble
  • 95,029
  • 29
  • 173
  • 228
  • Ah thanks. That confirms what we've just heard from the chaps issuing the CA - that their Server 2003 CA can only issue SHA-1. Which isn't ideal... but it puts the issue in their hands rather than ours! – mrchinchin25 Dec 17 '15 at 12:32
  • 1
    Server 2003 is out of security support. Anyone running a CA on that now needs to have their head examined. – womble Dec 17 '15 at 21:43
  • 1
    Touchè, sir. Touchè. – womble Dec 20 '15 at 21:46