Generate an OpenSSL Certificate Request with SHA256 Signature

Google have recently announced that they are going to start reporting that SSL certificates that are signed with a SHA-1 Hash will be treated as having a lower security than those signed with newer, higher strength hashes such as SHA-256 or SHA-512.

Google’s announcement can be found here at

Technically at the moment there isn’t anything really wrong with the SHA-1 hash function, but it is now quite old and is starting to show potential cracks. Hence the reason that the security industry is advising to move to something better. In this case SHA-256.

1. Generate a SSL Key File

Firstly you will need to generate a key  file. The example below will generate a 2048 bit key file with a SHA-256 signature.

openssl genrsa -out key_name.key 2048 

If you want extra security you could increase the bit lengths.

openssl genrsa -out key_name.key 4096

** Please note that both these examples will not add a password to the key file. To do that you will need to add -aes256 to the command.

2. Create a Certificate Signing Request (CSR)

 This step will create the actually request file that you will submit to the Certificate Authority (CA) of your choice.

openssl req -out CSR.csr -key key_name.key -new -sha256

You can check that your Certificate Signing Request (CSR) has the correct signature by running the following.

openssl req -in CSR.csr -noout -text

It should display the following if the signature is correct.

Signature Algorithm: sha256WithRSAEncryption

3. Install the Certificate (CRT)

This step is very dependant of the software you use and I won’t really cover. All I will say is that these certificates are supported by a multitude of software, including Apache HTTPD and NGINX.

4. Test your installed Certificate

This step is extremely important and will show you any security problems with your SSL configuration.

Qualys have a free hosted service that tests the SSL configuration of Internet facing web servers for SSL issues. The sites tested are rated from A to F, and a report is generated. This report is really useful for tuning your SSL configuration.

The SSL Labs tests are regularly updated when new issues are discovered. This means that if your server is rated as A today, next week it maybe rated as C.




  1. Can’t you just do it all in One hit:

    openssl req -nodes -newkey rsa:4096 -sha256 -keyout test.key -out test.csr


  2. Anytime I try -sha256 I get invalid option and it is not listed as a parameter to the “req” command.

    req [options] outfile
    where options are
    -inform arg input format – DER or PEM
    -outform arg output format – DER or PEM
    -in arg input file
    -out arg output file
    -text text form of request
    -pubkey output public key
    -noout do not output REQ
    -verify verify signature on REQ
    -modulus RSA modulus
    -nodes don’t encrypt the output key
    -engine e use engine e, possibly a hardware device
    -subject output the request’s subject
    -passin private key password source
    -key file use the private key contained in file
    -keyform arg key file format
    -keyout arg file to send the key to
    -rand file;file;…
    load the file (or the files in the directory) into
    the random number generator
    -newkey rsa:bits generate a new RSA key of ‘bits’ in size
    -newkey dsa:file generate a new DSA key, parameters taken from CA in ‘file’
    -newkey ec:file generate a new EC key, parameters taken from CA in ‘file’
    -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)
    -config file request template file.
    -subj arg set or modify request subject
    -multivalue-rdn enable support for multivalued RDNs
    -new new request.
    -batch do not ask anything during request generation
    -x509 output a x509 structure instead of a cert. req.
    -days number of days a certificate generated by -x509 is valid for.
    -set_serial serial number to use for a certificate generated by -x509.
    -newhdr output “NEW” in the header lines
    -asn1-kludge Output the ‘request’ in a format that is wrong but some CA’s
    have been reported as requiring
    -extensions .. specify certificate extension section (override value in config file)
    -reqexts .. specify request extension section (override value in config file)
    -utf8 input characters are UTF8 (default ASCII)
    -nameopt arg – various certificate name options
    -reqopt arg – various request text options

    1. What OS are you using? I just tested it on Ubuntu 10.04 & Ubuntu 16.04 by cutting and pasting and it works fine.

    2. Okay. More information.

      If you do the following

      openssl req –help

      You will get the following somewhere in the output.

      -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)

      Basically what that means is that your system does not support sha256.


      1. hi Chris, not true about the -help output, these linux utils don’t update their readme/help output.
        I’m using openssl 1.0.2g / march 2016 and its’ help output is also just:
        -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4) ,
        but sha256 IS supported.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s