Please forgive my ignorance here. I’m really not a certificate expert. I’m a software developer trying to make certificates to use in a testing situation. I’ve got some scripts that I have been using for years. I’ve just upgraded to 1.10f (but there are no upgrade issues that I know of – that’s not the problem). My last test certificate expired. So I am trying to make another one. All I seem to be able to make are SHA-1 signed certificates, but I’m trying to load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I think because of the SHA-1. Here is how I am making the certificate. What do I have to do differently to make a SHA-512 (or at least some SHA > 1) certificate? C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512 -keyout %1.key.pem -out %1.req.pem -config openssl_edited_win32_default.cfg -extensions usr_cert -reqexts usr_cert -nodes -days 3650 C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512 C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile CMC_root.key.pem -passin pass:password Here is what I end up with: Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=charlesm@xxxxxxx, O=Charles Mills Consulting, LLC Validity Not Before: Nov 6 19:13:09 2017 GMT Not After : Nov 6 19:13:09 2018 GMT Subject: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=charlesm@xxxxxxx, O=CZAGENT_Nov2017 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) While we’re at it, why doesn’t my –days 3650 seem to have any effect? Thanks! Charles |
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
