Creating SHA2 certificate using openssl
Prerequisites
A system with openssl installed is required (easier on Linux including VNX control stations, which have openssl pre-installed, but can also be installed on any system including Windows).
Steps
To create a sha256 CSR, issue the following commands:
$ openssl genrsa -des3 -out pkey 2048
$ openssl req -new -sha256 -key pkey -out sha256.csr -days 1825 -passin pass:emcin -subj '/CN=10.x.x.x/'
openssl req -in sha256.csr -noout -text |grep Algo
For the CSR, a template also can be used for openssl. The template file needs to created, such as the following example:
#cat mytemplate.txt
[req]
distinguished_name=req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName=US
stateOrProvinceName=Florida
localityName=myCity
organizationName=MyCompany
commonName=10.20.16.252
[ v3_req ]
subjectKeyIdentifier=hash
subjectAltName= @alt_names
[alt_names]
DNS.1=vnxspa.domain.com
IP.1=10.0.0.1 To use this template file, the following command would be issued:
# openssl req -new -sha1 -key <server.key> -out <request.csr> -days <1865> -config <mytemplate.txt> -passin
pass:emcemc
Public Key Algorithm: rsaEncryption
Signature Algorithm: sha256WithRSAEncryption sha256.csr is the CSR, which can be sent to the CA for signing with sha2.
To create a sha256 self-signed certificate, issue the following command:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout mykey -out certsha256.crt -subj "/CN=10.x.x.x" This single line creates a new private key, mykey, and signs it with output file certsha256.crt with the sha256 algorithm.
The resulting certificate can be packaged in pfx format and imported on the SP using naviseccli.