Forum Discussion

Jorge_Herran_14's avatar
Jorge_Herran_14
Icon for Altostratus rankAltostratus
May 06, 2015

Implementing a Certificate with SHA2

I need to request a certificate from an authority which has to be SHA-2, I only see RSA, DSA or ECDSA to chose from, and the bits. The question is if I chose RSA with 2048 bits, the hash algorithm will be sha-2

 

13 Replies

  • i understand by default it is changed to sha256 since 11.5.0.

    ID389552 - Use SHA-256 instead of SHA1 when signing RSA keys.

    this is 11.6.0.

    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) create sys crypto key test.key key-size 2048 gen-csr country US city Seattle state WA organization acme ou IT common-name test.acme.com email-address test@acme.com
    To sign a third party certificate use:
    
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC4TCCAckCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQH
    EwdTZWF0dGxlMQ0wCwYDVQQKEwRhY21lMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMN
    dGVzdC5hY21lLmNvbTEcMBoGCSqGSIb3DQEJARYNdGVzdEBhY21lLmNvbTCCASIw
    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5Uw3n1e6dMTVmqcxo+6nrjSQOY
    ABgvId7WawMVPAti6oSSZNNx0DbwJhdzd/9sfvBLKVpfak8WdH0KjrIdUyriqIwY
    XZisMwqMNXgAZUgEym1azgPAYUSUuXDjT6OSJcEY2+DY0ilwc/VODm5kQPCs48Fn
    +q6Y7Fz+g80gDnle9pKm/1ivnsrbFxEIoDwVUUPhjFTeCcPOkUcHMsM0oUWfFF1b
    kxWBt7c8Qba/cv7IbTADlDn5V72fEhGTIFkrzxmlRbdlt4UNSmSLZDd/1+vUw8re
    DcedSdVaRcnud+5T+t+6xZAmFDug0qLg17qo0Zj8nvZ+VeEue2zLmR42KC8CAwEA
    AaAeMBwGCSqGSIb3DQEJATEPFg10ZXN0QGFjbWUuY29tMA0GCSqGSIb3DQEBCwUA
    A4IBAQAdDk2q8Bq6Fpbt4N4rG5WADC13ohroFaHLt1V0wHUsrDrhH9OmFGZVKIrt
    9o2yZGOvynn9Nc4DpvSHOF8e5mH5gejmrmtkfLI3JlcRLe9iyc0muwFvPKfyFTZk
    /+BL1CGmbUUAmfLBOHNZS/eF4665ePwz74YsfdsehFMMKvkrz0cUea78zPaboKBn
    wldgyD83k9VthnmZ0yU9phIGSE7QcGGeVfs6Q/hS8MzD70f4r16HZSrfB4UFV8OO
    WF+NrVDRgaMsp3LtHpZfIk1XXAol2DYgYNZjEcteZ++5j9c/OpiWjTYQkMGSQd/G
    X7K2wb7EykRd1oxYwj0J3EVWuTCw
    -----END CERTIFICATE REQUEST-----
    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) q
    [root@ve11c:Active:In Sync] config 
    [root@ve11c:Active:In Sync] config  openssl req -noout -text -in /config/ssl/ssl.csr/test.csr | grep -i signature
        Signature Algorithm: sha256WithRSAEncryption
    
    • Jorge_Herran_14's avatar
      Jorge_Herran_14
      Icon for Altostratus rankAltostratus
      thanks nitass. I will do as you have show me. I understand for your answer that it isn't possbile to do it from the graphical interface right?
    • Jorge_Herran_14's avatar
      Jorge_Herran_14
      Icon for Altostratus rankAltostratus
      Hi nitass you know i checked the certificate that i have generated from the graphical interface and you know it is sha256, so when you select RSA on the version 11.6, it use by defect sha256. There is my check thanks to your info: [root@ltm1:Active:In Sync] config openssl req -noout -text -in /config/ssl/ssl .csr/aunclic.grupobancolombia.com.csr | grep -i signature Signature Algorithm: sha256WithRSAEncryption
  • i understand by default it is changed to sha256 since 11.5.0.

    ID389552 - Use SHA-256 instead of SHA1 when signing RSA keys.

    this is 11.6.0.

    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) create sys crypto key test.key key-size 2048 gen-csr country US city Seattle state WA organization acme ou IT common-name test.acme.com email-address test@acme.com
    To sign a third party certificate use:
    
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC4TCCAckCAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQH
    EwdTZWF0dGxlMQ0wCwYDVQQKEwRhY21lMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMN
    dGVzdC5hY21lLmNvbTEcMBoGCSqGSIb3DQEJARYNdGVzdEBhY21lLmNvbTCCASIw
    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5Uw3n1e6dMTVmqcxo+6nrjSQOY
    ABgvId7WawMVPAti6oSSZNNx0DbwJhdzd/9sfvBLKVpfak8WdH0KjrIdUyriqIwY
    XZisMwqMNXgAZUgEym1azgPAYUSUuXDjT6OSJcEY2+DY0ilwc/VODm5kQPCs48Fn
    +q6Y7Fz+g80gDnle9pKm/1ivnsrbFxEIoDwVUUPhjFTeCcPOkUcHMsM0oUWfFF1b
    kxWBt7c8Qba/cv7IbTADlDn5V72fEhGTIFkrzxmlRbdlt4UNSmSLZDd/1+vUw8re
    DcedSdVaRcnud+5T+t+6xZAmFDug0qLg17qo0Zj8nvZ+VeEue2zLmR42KC8CAwEA
    AaAeMBwGCSqGSIb3DQEJATEPFg10ZXN0QGFjbWUuY29tMA0GCSqGSIb3DQEBCwUA
    A4IBAQAdDk2q8Bq6Fpbt4N4rG5WADC13ohroFaHLt1V0wHUsrDrhH9OmFGZVKIrt
    9o2yZGOvynn9Nc4DpvSHOF8e5mH5gejmrmtkfLI3JlcRLe9iyc0muwFvPKfyFTZk
    /+BL1CGmbUUAmfLBOHNZS/eF4665ePwz74YsfdsehFMMKvkrz0cUea78zPaboKBn
    wldgyD83k9VthnmZ0yU9phIGSE7QcGGeVfs6Q/hS8MzD70f4r16HZSrfB4UFV8OO
    WF+NrVDRgaMsp3LtHpZfIk1XXAol2DYgYNZjEcteZ++5j9c/OpiWjTYQkMGSQd/G
    X7K2wb7EykRd1oxYwj0J3EVWuTCw
    -----END CERTIFICATE REQUEST-----
    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) q
    [root@ve11c:Active:In Sync] config 
    [root@ve11c:Active:In Sync] config  openssl req -noout -text -in /config/ssl/ssl.csr/test.csr | grep -i signature
        Signature Algorithm: sha256WithRSAEncryption
    
    • Jorge_Herran_14's avatar
      Jorge_Herran_14
      Icon for Altostratus rankAltostratus
      thanks nitass. I will do as you have show me. I understand for your answer that it isn't possbile to do it from the graphical interface right?
    • Jorge_Herran_14's avatar
      Jorge_Herran_14
      Icon for Altostratus rankAltostratus
      Hi nitass you know i checked the certificate that i have generated from the graphical interface and you know it is sha256, so when you select RSA on the version 11.6, it use by defect sha256. There is my check thanks to your info: [root@ltm1:Active:In Sync] config openssl req -noout -text -in /config/ssl/ssl .csr/aunclic.grupobancolombia.com.csr | grep -i signature Signature Algorithm: sha256WithRSAEncryption