Help with making a SHA >1 certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Help with making a SHA >1 certificate

Charles Mills

Please forgive my ignorance here. I’m really not a certificate expert. I’m a software developer trying to make certificates to use in a testing situation.

 

I’ve got some scripts that I have been using for years. I’ve just upgraded to 1.10f (but there are no upgrade issues that I know of – that’s not the problem).

 

My last test certificate expired. So I am trying to make another one. All I seem to be able to make are SHA-1 signed certificates, but I’m trying to load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I think because of the SHA-1. Here is how I am making the certificate. What do I have to do differently to make a SHA-512 (or at least some SHA > 1) certificate?

 

C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512 -keyout %1.key.pem -out %1.req.pem -config openssl_edited_win32_default.cfg -extensions usr_cert -reqexts usr_cert -nodes -days 3650

C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512

C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile CMC_root.key.pem -passin pass:password

 

Here is what I end up with:

 

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=[hidden email], O=Charles Mills Consulting, LLC

        Validity

            Not Before: Nov  6 19:13:09 2017 GMT

            Not After : Nov  6 19:13:09 2018 GMT

        Subject: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=[hidden email], O=CZAGENT_Nov2017

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

 

While we’re at it, why doesn’t my –days 3650 seem to have any effect?

 

Thanks!

 

Charles

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with making a SHA >1 certificate

warron.french
Charles, I am no expert either - sorry.

However, the question about why is your signed certificate at least not getting to be over 1 year in "length?"   What is the duration of the CA's certificate?

--------------------------
Warron French


On Mon, Nov 6, 2017 at 5:04 PM, Charles Mills <[hidden email]> wrote:

Please forgive my ignorance here. I’m really not a certificate expert. I’m a software developer trying to make certificates to use in a testing situation.

 

I’ve got some scripts that I have been using for years. I’ve just upgraded to 1.10f (but there are no upgrade issues that I know of – that’s not the problem).

 

My last test certificate expired. So I am trying to make another one. All I seem to be able to make are SHA-1 signed certificates, but I’m trying to load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I think because of the SHA-1. Here is how I am making the certificate. What do I have to do differently to make a SHA-512 (or at least some SHA > 1) certificate?

 

C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512 -keyout %1.key.pem -out %1.req.pem -config openssl_edited_win32_default.cfg -extensions usr_cert -reqexts usr_cert -nodes -days 3650

C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512

C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile CMC_root.key.pem -passin pass:password

 

Here is what I end up with:

 

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=[hidden email], O=Charles Mills Consulting, LLC

        Validity

            Not Before: Nov  6 19:13:09 2017 GMT

            Not After : Nov  6 19:13:09 2018 GMT

        Subject: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=[hidden email], O=CZAGENT_Nov2017

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

 

While we’re at it, why doesn’t my –days 3650 seem to have any effect?

 

Thanks!

 

Charles

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with making a SHA >1 certificate

Jakob Bohm-7
In reply to this post by Charles Mills
Both the validity and the hash in the certificate are decided by the
"ca" command, which you didn't tell about wanting sha512 and 10 years.

sha512 on req determines only the hash used by the requestor to prove
he has the private key and sign the name etc. *suggested* to the ca.

-days on req when generating a request does noting, and should perhaps
produce a warning, since this option is only meaningful when used with
the -x509 option to produce a self-signed cert instead of a request.

On 06/11/2017 23:04, Charles Mills wrote:

>
> Please forgive my ignorance here. I’m really not a certificate expert.
> I’m a software developer trying to make certificates to use in a
> testing situation.
>
> I’ve got some scripts that I have been using for years. I’ve just
> upgraded to 1.10f (but there are no upgrade issues that I know of –
> that’s not the problem).
>
> My last test certificate expired. So I am trying to make another one.
> All I seem to be able to make are SHA-1 signed certificates, but I’m
> trying to load them into a FIPS-140 (non-OpenSSL) key repository and
> it is failing, I think because of the SHA-1. Here is how I am making
> the certificate. What do I have to do differently to make a SHA-512
> (or at least some SHA > 1) certificate?
>
> C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512
> -keyout %1.key.pem -out %1.req.pem -config
> openssl_edited_win32_default.cfg -extensions usr_cert -reqexts
> usr_cert -nodes -days 3650
>
> C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512
>
> C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config
> CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile
> CMC_root.key.pem -passin pass:password
>
> Here is what I end up with:
>
>     Signature Algorithm: sha1WithRSAEncryption
>
>         Issuer: CN=Charles Mills Consulting, LLC, ST=California,
> C=US/emailAddress=[hidden email], O=Charles Mills Consulting, LLC
>
>         Validity
>
>             Not Before: Nov  6 19:13:09 2017 GMT
>
>             Not After : Nov  6 19:13:09 2018 GMT
>
>         Subject: CN=Charles Mills Consulting, LLC, ST=California,
> C=US/emailAddress=[hidden email], O=CZAGENT_Nov2017
>
>         Subject Public Key Info:
>
>             Public Key Algorithm: rsaEncryption
>
>                 Public-Key: (2048 bit)
>
> While we’re at it, why doesn’t my –days 3650 seem to have any effect?
>
> Thanks!
>
> /Charles /
>
>
>

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with making a SHA >1 certificate

OpenSSL - User mailing list
➢ -days on req when generating a request does noting, and should perhaps
    produce a warning, since this option is only meaningful when used with
    the -x509 option to produce a self-signed cert instead of a request.
   
https://github.com/openssl/openssl/pull/4692


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with making a SHA >1 certificate

Charles Mills
In reply to this post by warron.french

The CA’s certificate validity is

 

Not After : Nov 18 17:39:38 2024 GMT

 

Charles

 

From: openssl-users [mailto:[hidden email]] On Behalf Of warron.french
Sent: Monday, November 6, 2017 4:02 PM
To: [hidden email]
Subject: Re: [openssl-users] Help with making a SHA >1 certificate

 

Charles, I am no expert either - sorry.

 

However, the question about why is your signed certificate at least not getting to be over 1 year in "length?"   What is the duration of the CA's certificate?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Help with making a SHA >1 certificate

warron.french
Charles, thanks for clarifying.  I was on the correct track, but for some reason couldn't confirm it.  (I chalk it up to being tired.  That's my story and I'm sticking to it.  lol).



--------------------------
Warron French


On Tue, Nov 7, 2017 at 9:37 AM, Charles Mills <[hidden email]> wrote:

The CA’s certificate validity is

 

Not After : Nov 18 17:39:38 2024 GMT

 

Charles

 

From: openssl-users [mailto:[hidden email]] On Behalf Of warron.french
Sent: Monday, November 6, 2017 4:02 PM
To: [hidden email]
Subject: Re: [openssl-users] Help with making a SHA >1 certificate

 

Charles, I am no expert either - sorry.

 

However, the question about why is your signed certificate at least not getting to be over 1 year in "length?"   What is the duration of the CA's certificate?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users