Possible to move a SSL certificate from SHA1 to SHA256 without reissueing? - ssl

I have generated some ssl certificates using:
sudo openssl req -nodes -newkey rsa:2048 -keyout hostname.key -out hostname.csr
instead of:
sudo openssl req -nodes -sha256 -newkey rsa:2048 -keyout hostname.key -out hostname.csr
Is it possible to change the hash on the certificate without having to regenerate and reissue the certificate?

No, this is not possible.
Since the hash is used to sign the certificate by the issuing CA, the signature would be invalid if you change the hash no matter if the new hash would still be a valid hash of the certificate (because of just another algorithm).

No. You haven't just changed the certificate: you've changed the key that it authenticates.

Related

How to create root certificate authority using CLI? [OSX]

Hello I am trying to create root certificate authority for my own MITM proxy. Based on other tutorial I have used following command.
Generate a private key
openssl genrsa -out cert.key 2048
Generate a certificate
openssl req -new -nodes -x509 -key cert.key -days 365 -out cert.crt
Now the problem is when i try to add to keychain it shows Self Signed Root CA. What i have found is other MITM proxy like proxyman generates cert that shows Root Certificate Authority. Here is screenshot which illustrate my point.
I know i can make certificate that shows Root Certificate Authority from Keychain Access > Certificate Assistant > Create a Certificate Authority.
However my goal is to create certificate programmatically so I can generate certificate for other user easily.
Thanks
After several searching i found following command works. I don't know why it works it would be helpful.
openssl req -x509 -new -nodes -key cert.key -subj "/CN=HELLO" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl/openssl.cnf
It seem adding something related to v3_req fixes the issue.
Be sure to use latest version of openssl. I used homebrew to install openssl

Sign a User certificate with CA.key :openssl

I've a user certificate (certname.pem) and user key (keyname.pem) which I've generated using the command below.
openssl req -newkey rsa:2048 -nodes -keyout keyname.pem -x509 -days 365 -out certname.pem
Also I've generated a CA key (ca.key.pem) and CA root certificate (ca.root.pem) using the command below.
openssl req -x509 -days 557 -newkey rsa:1024 -out ca.root.pem -keyout ca.key.pem
Now I want to sign the user certificate (certname.pem) with the CA key (ca.key.pem) but I am unable to do so using the command below.
openssl ca -create_serial -config openssl.cnf -cert ca.root.pem -keyfile ca.key.pem -in certname.pem -out new-certname.pem
as this command gives error:
Error reading certificate request in certname.pem
139992806578040:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: CERTIFICATE REQUEST
Where as the contents of my certname.pem are as follows:
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIJALv1sRsVLIRgMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAmluMQ0wCwYDVQQIDARhc2RmMQ0wCwYDVQQHDARhc2RmMQwwCgYDVQQKDANs
a2oxDDAKBgNVBAsMA2xrajEMMAoGA1UEAwwDbGtqMREwDwYJKoZIhvcNAQkBFgJs
ajAeFw0xODA3MDcxNDU1MzNaFw0xOTA3MDcxNDU1MzNaMGgxCzAJBgNVBAYTAmlu
MQ0wCwYDVQQIDARhc2RmMQ0wCwYDVQQHDARhc2RmMQwwCgYDVQQKDANsa2oxDDAK
BgNVBAsMA2xrajEMMAoGA1UEAwwDbGtqMREwDwYJKoZIhvcNAQkBFgJsajCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJxh0L94MzQgjTodq4/Eha4HmX4c
PPsb7H5cUzk1b4N9tfGPoINZ68CY+HqTwXtBTtiwIvkvP/nKD5cp9PhpDB/AI4Zx
c83J72iBpMefn1KgWAUMBNnxnYkezK7SY3osotakBXAT+4tJI1BXL/TAV74VKe9a
7rXSEqCTxcj/H0kbW+2WR/N5yDXjJk68k1A4oQ4wSLiejC9ycqHkZluKZjJl8XNh
9QnEsTtZRiX59FbRa64A16Alv7tBSSTxyCFfQqPxSpgiORoU1vRQqWxD7IV5WXl7
fQLaxR07nmJKxYSK7fGRdcXLQBmkWA0V0pA3qreDAznSfElk3GNhtx0Erk0CAwEA
AaNQME4wHQYDVR0OBBYEFGDedvJ2pbkR2wFsu60fjDPocMFsMB8GA1UdIwQYMBaA
FGDedvJ2pbkR2wFsu60fjDPocMFsMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAIIVz6Aiu1VwM71ecL7aNgyEuctAtfkiDfopKANtBA5yzLQZYlALSkjz
SIUD/vRkiT4C8ZOdfoWJkHxpk93uYH6xjDL8vsqthAA34FvDBMoecrOVNzJq5uBt
aJC4klj57uf1mPzW71yycS9IKFFGardqijjlHUyhgJVBs8kZbABT7ZedYA5UYdv+
SUNnzOU2Sm/ktPF5vWp8y4WjgujYnZQqj7pI4ucwYxb8WRW2EeeGpkbA6DuU7Tnv
frliIESdu9/UCQm7A5zxW47MKTBrVDfoRsbrbjFo9PiGCxG/7bglykFHovWVN2ez
uqLIdDOC2lNFBOJLPhf5w9s3fEGl8m8=
-----END CERTIFICATE-----
How to sign this certificate with the ca.key.pem?
Please help.
Reference for generating certificates - https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html
Question originally answered by - https://stackoverflow.com/users/99027/john-deters
on https://security.stackexchange.com/questions/189148/sign-a-user-certificate-with-ca-key-openssl
You included -out certname.pem on your original request, which in this case instructed openssl to generate a self-signed root CA certificate named certname.pem. It is a certificate, but probably not the kind you want here.
I assume you instead want to use your newly minted CA to sign your public key and create a server certificate. You'll need to first generate a Certificate Signing Request (CSR) from your new key (the one in keyname.pem):
openssl req -out keyname.csr -key keyname.pem -new -days 365
You can then pass this CSR to request a certificate:
openssl ca -create_serial -config openssl.cnf -cert ca.root.pem -keyfile ca.key.pem -in keyname.csr -out new-certname.pem
Your issue is - CA signs a CSR (certificate signing request) and as a result is a completely new certificate issued by the CA
I have some examples ready for myself https://pastebin.com/m9rzFJ9c
#create certificate signing request
openssl req -new -key ./sslCA/private/myserver.key -out ./sslCA/private/cakey.csr
#sign the signing request
openssl x509 -req -days 365 -in ./sslCA/private/cakey.csr -signkey ./sslCA/private/myserver.key -out
./sslCA/private/cacert.pem

Does a SSL certificate created using rsa:2048 use an SHA-2 cryptographic hash algorithm?

Google is trying to phase out use of SSL certificates using SHA1 hashing algorithm. As result I want to create a SHA2 compliant self signed certificate. I understand the SHA is a hashing algorithm, whilst RSA is an encryption algorithm. I found the following command for producing the key and certificate pair:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
Will this produce a certificate using SHA-2 hashing algorithm?
After deploying the certificate, Chrome reports the following:
The hash algorithm used by the certificate issuer to sign a certificate request is unrelated to the certificate request itself. That means the CA might use SHA-2 for the 2048 bit key, but it might also use SHA-1. It might even re-sign the same certificate which was once signed with SHA-1 now with SHA-2.
Currently most (all?) public CA use SHA-2 because SHA-1 is phased out for security reasons.
In your case you use the openssl req command to create not only a certificate request but also sign it, i.e. create a self-signed certificate. Modern versions of openssl will use SHA-2 to sign this new certificate by default, older versions SHA-1. To enforce SHA-2 as the signature algorithm use the -sha256 argument.
I believe I have solved the issue. The command I have been using uses openssl's default hashing algorithm which is SHA-1. To create a SHA-2 hashed certificate one must specify an SHA-2 option. In this case I chose to use SHA-256. Following is the updated command:
openssl req -newkey rsa:2048 -sha256 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

modulus.io SSL need key file?

I would like to get SSL running on my subdomain api.rofulus.com
I checked out https://modulus.io/codex/projects/ssl
I created a certificate and key with:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csrls
I registered me on namecheap an bought a positiveSSL
https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
I uploaded the content of the server file to namecheap and I received 3 files:
api_rofulus_com.crt
PositiveSSLCA2.crt
AddTrustExternalCARoot.crt
But for custom SSL I need content of a key file. But my myserver.key is empty. So where or how can I get the key?
Thanks for help!
By using this command you have created certificate request server.csr:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
To see the contents of the request you can use:
openssl req -noout -text -in server.csr
Then you have uploaded server.csr to namecheap and got your certificates.
If your private key (myserver.key) is empty then i think you somehow corrupted it. You can reissue you certificate with the new key and certificate request. Drop a line to namecheap support, i think they can resolve this situation.

How to generate CSR for SSL that works with Nginx & Apache?

I want to generate the CSR file for requesting SSL (wildcard) certificate. This certificate and private key will be used on multiple machines with both Apache and Nginx.
RapitSSL states the following commands for the different setups:
Nginx
$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Apache Mod SSL
$ openssl genrsa -des3 -out <private key file name>.key 2048
Apache-SSL
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
Is there a way to generate a CSR that works with both Apache and Nginx?
Apache Mod SSL
$ openssl genrsa -des3 -out < private key file name>.key 2048
Apache-SSL
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
These two are obviously the exact same command, with a different way of writing the example name. They just generate the key pair, you'd need an additional req command to generate a CSR too.
genrsa generates a key pair, and req generates a CSR. However, req can perform both operations at once when using -newkey.
See OpenSSL req example documentation:
Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out req.pem
The same but just using req:
openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
How to generate CSR for SSL that works with Nginx & Apache ...
Is there a way to generate a CSR that works with both Apache and Nginx?
A quick answer to the questions to clarify things... Nginx and Apache don't consume CSRs. They use certificates and private keys.
Perhaps you meant to say something about a self-signed certificate? If so, add the -x509 option to the openssl req command. That creates a self signed certificate rather than a signing request.
There's a lot more to self-signed certificates (and server certificates in general). See, for example, How to create a self-signed certificate with openssl?