Thursday Jun 11, 2009

How to generate CSR with SHA1 (Signature Algorithm) with certutil in Web 6.1 SPx

If the security auditor asked you about the SSL certificate which is using MD5 as


Signature Algorithm, (e.g. http://www.kb.cert.org/vuls/id/836068 ) in web server 6.1SPx.


Then you can upgrade to 6.1SP11 which has default to SHA1 in CSR, e.g.


    Signature Algorithm: sha1WithRSAEncryption

If you cannot upgrade to 6.1SP11 now, then you can create a new CSR with SHA1 with certutil -Z option.

e.g. I did an example with -Z below for your reference,

apple:/export/home/iws6.1sp7> ./bin/https/admin/bin/certutil -R -s
"CN=hostname.domain.com,OU=Company,O=Company,L=Anytown,ST=New York,C=US"  -a -o /tmp/testSHA1.csr -k rsa -g 2048 -v 12 -d
/export/home/iws6.1sp7/alias -P https-apple-apple- -Z  SHA1

(Note- you need to change -d and -P to match what you have there in
your site!)

Enter Password or Pin for "NSS Certificate DB": <password to your
web server security DB>

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished.  Press enter to continue:

Generating key.  This may take a few moments...

apple:/export/home/iws6.1sp7> ls -l /tmp/testSHA1.csr

-rw-rw----   1 root     other       1247 May 26 13:57
/tmp/testSHA1.csr

apple:/export/home/iws6.1sp7> cat /tmp/testSHA1.csr

Certificate request generated by Netscape certutil

....

-----BEGIN NEW CERTIFICATE REQUEST-----

MIICxjCCAa4CAQAwgYAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl
...............

OesYDTs6R/KTs6R9o/GX/07eAhMO7m+sBQhd4Q29WUu3mkWRqbVzn9CE

-----END NEW CERTIFICATE REQUEST-----

then goto
http://www.ssldirect.com/ssltools/decode/csr/decode_csr_certificate_signing_request.html

to verify if this is SHA1 now,

......

Public Key Information
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Exponent: 65537 (0x10001)

Attributes
None
 

CSR Signature

Signature Algorithm: sha1WithRSAEncryption 
(see it is SHA1 , instead of MD5)

If you do not add the -Z  SHA1 at the end, then it will be

Signature Algorithm: md5WithRSAEncryption  \*\*\* instead

Then you can submit this CSR (with SHA1) to a CA, e.g. Verisign to sign it.

After you install the new SSL certificate, you can see it ok.

e.g. I added the new SSL cert as "new dumpy cert1" below,

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -d /export/home/iws6.1sp7/alias -P https-apple-apple-
1000year CT,,
myissuer Cu,Cu,Cu
Server-Cert u,u,u
new dumpy cert1 \*\*\* u,u,u

then I can examine the inside of this new SSL cert,

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple-
Certificate:

Data:
Version: 3 (0x2)
Serial Number:
00:a7:a9:fa:ed:f9:50:f7:7d
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

or

apple:/export/home/iws6.1sp7/alias> /export/home/iws6.1sp7/bin/https/admin/bin/certutil -L -n "new dumpy cert1" -d /export/home/iws6.1sp7/alias -P https-apple-apple- | grep -i SHA
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Fingerprint (SHA1):

see more at

http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html


About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today