Can I get anSHA-256 certificate when the CSR is for SHA-1?

Question

I've read:

By default, OpenSSL cryptographic tools are configured to make SHA1 signatures. for example, if you want to generate a SHA256-signed certificate request (CSR) , add in the command line: -sha256

I was required to upgrade an existing SHA1 certificate to SHA256. I generated a new CSR and sent it off to RapidSSL, before realising that I hadn't specified -sha256 in the CSR.

I've contacted them and they say "a replacement for a Sha2 certificate has been made and current state of the order is waiting for an approval. Once the order is approved will the new certificate be issued with SHA2 algorithm."

My question is, is it possible for them to get my SHA1 CSR and say "ok, we're giving you an SHA256 certificate back anyway because that's all we do now"? And will that certificate work with the private key I've generated corresponding to that SHA1 CSR?

How does it work? When I pass in -sha256 (or when I don't) at the time of generating a CSR, what does that affect, other than just making a note in the CSR saying "hey, this person wants SHA256 encryption on their certificate"? Does it affect the generated private key in any way?

Answer 1

It's possible because the signature of a CSR is only used to prove that you are indeed the owner of the private key that matches with the public key embedded in the CSR. Once the CA (RapidSSL in your case) decides that the CSR is valid it's signature becomes meaningless for the further process of creating the certificate and is effectively discarded.

For the full gory details on what's in a certificate see rfc5280-4.1.2