Can a CSR be created in OpenSSL with SHA2?

  • Can a CSR be created in OpenSSL with SHA2? If so, what would the command be and what does this tell the CA, if anything? If you could create a CSR using SHA2 would it "tell" the signing CA to use it on the entire cert chain?

    For what it's worth, I don't remember the details, but I've had no problems going SHA-2 with my CAs. They offer SHA-1 or SHA-2 as a choice when ordering or take the hint from the CSR; and they provide a fully SHA-2 chain, by default or at least as an alternate download.

  • David

    David Correct answer

    7 years ago

    You can add, for example the -sha256 flag to the OpenSSL command line when generating the CSR. I don't believe any CA will change how they sign your CSR based on this, and it certainly won't affect the certificate chain. They're not resigning the cert chain for each key, the only signature operation they do is on your CSR itself. Any intermediate/root CAs provided will be exactly the same for all customers.

    Yes, I was able to use the command openssl req -sha256 -new -key fd.key -out fd.csr to get a SHA2 CSR. If it has no bearing on how the CA signs the cert, then what are the use cases for creating a CSR with SHA2-256/384/512? I'm not clear on why its used.

    I suppose its hashed to prevent attackers from extracting the private key from it?

    No, RSA keeps your private key safe by nature. That's what it's for. :-) RSA can only sign relatively small things, so you hash the data and sign the conveniently-sized hash.

    StartSSL certificates apparently respect the CSR SHA type, as I just had to resubmit a CSR but generated with `-sha256` in order to get the SHA2 cert back.

    Not an available flag if you generate the CSR from an existing cert using `openssl x509 -x509toreq -in my.crt -signkey my.key -out my.csr`

    @Snekse It's not available on `req`, but it is available on `req`. For example: `openssl x509 -x509toreq -in my.crt -signkey my.key -sha256 -out my.csr`

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM