2

I want to sha256 the fingerprint Use the openssl. I tried, but you have to sha1. What will i do?

I'm using OpenSSL 1.0.1f.

commands

openssl md5 * >rand.dat

openssl genrsa -rand rand.dat -aes256 2048 > server.key

openssl req -new -key server.key -sha256 -config openssl.cfg > server.csr

openssl x509 -fingerprint -sha256 -in server.csr -req -signkey server.key -extensions v3_req -extfile openssl.cfg -out server.cer

Changed from The default is the following:

[ CA_default ]
default_md  = sha256    # Change

[ req ]
req_extensions = v3_req     # Uncomment
user3353855
  • 23
  • 1
  • 1
  • 5
  • 1
    [link]https://www.openssl.org/docs/apps/x509.html# -md2|-md5|-sha1|-mdc2 the digest to use. This affects any signing or display option that uses a message digest, such as the -fingerprint, -signkey and -CA options. If not specified then SHA1 is used. If the key being used to sign with is a DSA key then this option has no effect: SHA1 is always used with DSA keys. However, it does not seem to affect the fingerprint. – user3353855 Feb 26 '14 at 06:50

1 Answers1

6

How can I create a sha256 fingerprint in openssl

-sha256 is correct.

There's an example of signing a server's CSR with your own CA using OpenSSL at How do you sign OpenSSL Certificate Signing Requests with your Certification Authority?.

Based on the feedback, it appears SHA1 is hard coded when using -fingerprint. Below is from <openssl dir>/apps/x509.c (all OpenSSL apps, like ca, x509, encrypt, decrypt, etc are located in apps/). From around line 935 of x509.c:

else if (fingerprint == i)
    {
    int j;
    unsigned int n;
    unsigned char md[EVP_MAX_MD_SIZE];
    const EVP_MD *fdig = digest;

    if (!fdig)
        fdig = EVP_sha1();

    if (!X509_digest(x,fdig,md,&n))
        {
        BIO_printf(bio_err,"out of memory\n");
        goto end;
        }
    BIO_printf(STDout,"%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(fdig)));
    ....

As far as const EVP_MD *fdig = digest, digest can be set. But I can't tell what switch is supposed to be used. From around line 475:

else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
    {
    /* ok */
    digest=md_alg;
    }

That looks broke to me.

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
  • -fingerprint I tried to remove the but is unchanged. – user3353855 Feb 26 '14 at 06:49
  • Create a CA-signed certificate with reference to the link,but thumbprint and you will have SHA1. – user3353855 Feb 26 '14 at 06:50
  • It looks like a bug to me (see the additional information). – jww Feb 26 '14 at 07:04
  • @user3353855 - I was thinking.... try placing the `-sha256` as the *last* option, too. If its the last option, `EVP_get_digestbyname` will return a good `EVP_MD` object that does not get over-written later with a bogus name (a bogus name returns `NULL`). – jww Feb 26 '14 at 17:45