In a previous post I mentioned how Google & Microsoft are starting to deprecate the use of SHA-1 Certificate Signatures in their browsers.
Google’s announcement can be found here at http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
Following on from this post I wondered how to change the default settings of OpenSSL to make sure that all future certificates don’t use SHA-1.
OpenSSL on Ubuntu 12.04 / 14.04
First edit the OpenSSL config file
$ sudo vim /etc/ssl openssl.cnf
Look for the following section
[ CA_default ]
default_days = 1000 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
Make the following change and save the file.
default_md = sha256 # use SHA-256 for Signatures
From this point onwards all Certificates generated will be signed with SHA-256.
Check the Certificate Signature
The following command will output information about the Certificate
$ openssl x509 -in cert.crt -text -noout
The output should look something like this.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11485830970703032316 (0x9f65de69ceef2ffc)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MD, L=Baltimore, CN=Test CA/emailAddress=test@example.com
Validity
Not Before: Jan 24 14:24:11 2014 GMT
Not After : Feb 23 14:24:11 2014 GMT
Subject: C=US, ST=MD, L=Baltimore, CN=Test CA/emailAddress=test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b1:7f:29:be:78:02:b8:56:54:2d:2c:ec:ff:6d:
...
39:f9:1e:52:cb:8e:bf:8b:9e:a6:93:e1:22:09:8b:
59:05:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4A:9A:F3:10:9E:D7:CF:54:79:DE:46:75:7A:B0:D0:C1:0F:CF:C1:8A
X509v3 Authority Key Identifier:
keyid:4A:9A:F3:10:9E:D7:CF:54:79:DE:46:75:7A:B0:D0:C1:0F:CF:C1:8A
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
4a:6f:1f:ac:fd:fb:1e:a4:6d:08:eb:f5:af:f6:1e:48:a5:c7:
...
cd:c6:ac:30:f9:15:83:41:c1:d1:20:fa:85:e7:4f:35:8f:b5:
38:ff:fd:55:68:2c:3e:37
Hopefully in the not too distant future this will become the default on new installs. It may also be changed with a security update.
One comment