• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Generate CSR, Private Key With SHA256 Signature

By Abhishek Ghosh September 23, 2014 5:51 pm Updated on July 18, 2016

Generate CSR, Private Key With SHA256 Signature

Advertisement

Here is how to generate CSR, Private Key with SHA256 signature with OpenSSL for either reissue or new request to get SSL/TLS Certificate. We have explained the SHA or Secure Hash Algorithm in our older article. The need to throw a complete new guide to Generate CSR, Private Key With SHA256 Signature is to correct our existing older guides on Generating CSR as almost all the browsers will throw scary warning with older stuffs and OpenSSL, by default, at the time of first publishing this article uses SHA-1 Signature by default.

 

Generate CSR, Private Key With SHA256 Signature : Existing Customers Vs New Customers

 

Using SHA256 is kind of breaking change (Sunsetting SHA-1). Regarding breaking change there is a known saying :

Not possible to fix old entries without a breaking change, so remap old to new in import lib.

As the most Certificate Authority (CA) has support for reissue of a new certificate – it is quite natural to loss the private key (or for securing the server, frequent issue is recommended in certain cases), so most has this feature – at least GeoTrust has. If you are not used with the terminologies – it is Reissue Request NOT Revoking Request. It might be same for some authority for certain type of SSL Certificates. [Suggested To Read : Which SSL Certificate You Need]. In other words :

Advertisement

---

If you are an existing SSL Certificate user who used SHA-1 Signature to generate CSR or not sure what you used, before a free Reissue request, make sure that the Certificate Authority (CA) will not mark as Revoke. Revoking is a publicly available data and might impact your security policy in long term.

If Certificate Authority (CA) does not support Reissue without marked as Revoked, you need to change the Certificate Authority (CA) first. It is somewhat like the Domain Registrars. There are only 30 Certificate Authorities (CA) on this world, see the list on DMOZ. DMOZ has some usage even in 2014 ! 23 are listed. It costs around 70K USD fee and 10K USD annual fee to become a Certificate Authority (CA), providing that all the RFC Listed standards are maintained. This is the information we know via a Third Party. If you are bored with SSL Certificates, probably you’ll understand that becoming a Certificate Authority (CA) is not really a cost effective way!

Old Private Key generated with SHA-1 will work with the updated Intermediate certificates in a kind of compromised mode and not recommended way to fix the issue. SSL Certificate, essentially is not a new way to fool Google for better SERP!

 

Generate CSR, Private Key With SHA256 Signature : Loading Dose For The Old Victims

 

In case you are an old victim of SHA-1 and used to store the certificates in a path like this :

Vim
1
/etc/nginx/ssl

You can create a new directory named SHA256 under the old SSL directory, because it is quite likely that SHA-3 will be introduced in future, with soooo many certificates, you’ll get confused. So, new path is becoming :

Vim
1
2
/etc/nginx/ssl/sha256
# mkdir -p /etc/nginx/ssl/sha256

Use the old names you used for private key, csr, key issued by CA, intermediate key and other stuffs like concatenated files. In this way, if you keep the new things under /etc/nginx/ssl/sha256, you will only require to simply edit and change the path in your web server software’s configuration, like for Nginx default settings :

Vim
1
2
3
4
5
6
7
8
/etc/nginx/sites-available/default
# for nginx, just open with
## nano /etc/nginx/sites-available/default
# write out, save and do a config test
## nginx -t
# if fine, just restart
## service nginx restart
# these are valid if you have followed the below steps first

Generate-CSR,-Private-Key-With-SHA256-Signature
 

Generate CSR, Private Key With SHA256 Signature : The Common Coding Part

 

So, both the new and old will use the same path, somewhat like :

Vim
1
/etc/nginx/ssl/sha256

OpenSSL by default still uses (at the time of writing this guide) SHA-1 unless either – we specify to force SHA-2 with the config file or with command to generate. The reason why OpenSSL uses SHA-1, has lot of reasons, just to remind you – SHA256 is only one type of SHA-2 Signature. As practically we will not need our servers to generate nth number of SSL Certs, using command forcing SHA256 and 2048 bit key strength seems better option to us. Just update and upgrade your setup :

Vim
1
2
3
4
5
apt-get update -y && apt-get upgrade
# we are taking you are using a deb based linux server
# check the version of OpenSSL
openssl version
# not unusual to find an old library

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# go to /etc/nginx/ssl/sha256
cd /etc/nginx/ssl/sha256
# generate stuffs
openssl req -new -newkey rsa:2048 -nodes -sha256 -out thecustomizewindows.com.csr -keyout thecustomizewindows.com.key
# note the alternative command
## openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout thecustomizewindows.com.key -out thecustomizewindows.com.crt
# we can add more parameters
# interactive output
writing new private key to 'thecustomizewindows.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: [I typed IN]
State or Province Name (full name) [Berkshire]: [I typed 'West-Bengal' without '' and hit return key]
Locality Name (e.g., city) [Newbury]: [I typed 'Kolkata' without '']
Organization Name (e.g., company) [My Company Ltd]: [I typed company's name, you can omit]
Organizational Unit Name (e.g., section) []: [I typed website's name, you can omit]
Common Name (e.g., your name or your server's hostname) []:[I typed thecustomizewindows.com, very important]
Email Address []: [I typed our domain named email, very important]

You will never require this .csr after you obtain the certificate. Please do not forget to keep a backup of these files. People often forgets where the .key file they kept. These are quite common problem with SSL certificate. These are not very secret files, as none will be used for code signing or for e-commerce purpose. For e-commerce, usually EV SSL certificate is used, steps are same, but possibly you will use a password for the private key. As domain name will not match, these files are useless outside your domain. Obviously, not very secret never means you’ll be distributing them publicly.
Do a listing of files and open the CSR file :

Vim
1
2
3
4
5
6
7
8
9
10
11
ls
# output
thecustomizewindows.com.key thecustomizewindows.com.crt
## open
nano thecustomizewindows.com.csr
# we are sorry for the typographical error present before
# and now is corrected.
# .csr is the thing you'll copy for request
# memorize it as csr means certificate request
# copy it by highlighting all the things or
# open via FTP to copy

Now, go to your CA’s website, find the way to either request a new one or ask for a reissue. GeoTrust sends an email to check whether it is a valid request, you will need the order ID to fill the form. When you will request re-issue or fresh new one, at least for now, make sure that the Hash is selected as SHA256 or SHA2 above the CSR paste field. Then click to continue. You’ll get another email to accept. Then you’ll get another email with the new fresh certificate and intermediate certificate.

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# go to /etc/nginx/ssl/sha256
cd /etc/nginx/ssl/sha256
# generate files
nano thecustomizewindows.extension
# paste the content, write out, save
# .extension is usually .crt
# use .crt if you do not know
# what you are doing
# .pem is special format, encoded by software
nano intermediate.extention
# paste the content, write out, save
# make them one if needed like for Nginx
# its nothing but copy pasting the textual material
# like
# thecustomizewindows_with_private.com.crt

Now open the domain config file like /etc/nginx/sites-available/default for Nginx default settings and change the path to add sha256 if you are using the same named files. Do a config test like nginx -t for Nginx and restart the server. Immediately you’ll get the result. We wrote for nginx webserver. If you want to learn about How To Install SSL Certificate on Apache2 Web Server, you can read the linked article. Basically, installing SSL certificate is easy on Ngnix. We were talking about formats like .pem in this article, actually we wrote about how to convert .crt Certificate to .pem format.

So far, it is a partial guide for even Nginx, you can read the full guide for Nginx SSL certificate installation. SSL Certificate does not cost much, tweaking demands knowledge. We said copy-pasting, SSL Certificate Authorities will say it “concatenate”. For selling stuffs, nice phrases are used! There is no difference between running cat command and copy pasting with .crt.
If you are hoping for better SERP, we can tell you at the end of November 2014, SSL or HTTPS does not increase any SERP itself. Google and Matt Cutts ate known lier, they tests various stuffs like they did with Authorship. Indeed, HTTPS blocks Ads, many man hours needed to optimize. Net gain is too low.

HSTS requires more steps. We are HSTS Preloaded listed. There are more stuffs to generate, which are written in this SSL Certificate Optimization guide. That is also full. There many more steps in front. Google wrote more secure will get priority. It is very easy to find others’ fault. We told you what we have experienced.

You can read the guide to enable OCSP Stapling on Nginx.

Tagged With certreq sha256 , generate CSR sha256 , openssl csr sha256 , generating a new csr revoking the old ssl cert , create a sha256 , how to generate sha256 csr , sha256 csr , pkcs8 keyspec in c# , generate SHA-256 csr , openssl sha2

This Article Has Been Shared 534 Times!

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Generate CSR, Private Key With SHA256 Signature

  • Free Cloud Applications for Day to Day Usage : Top 5 Pick

    Free Cloud Applications can do basic tasks like maintaining the schedule of your work to advanced and complex tasks. Only less known and useful are listed.

  • Cloud Computing and Desktop Virtualization

    Cloud computing and Desktop Virtualization are coming more and more closer. In this article, the author has discussed about Cloud computing and Virtualization.

  • Platform as a Service (PaaS) : A Detailed Article

    Platform as a Service (PaaS) refers to a service in the cloud a computing platform is for developers of Web applications without buying hardware and software.

  • How to Protect Data in the Cloud

    How to Protect Data in the Cloud where you have no option to opt out for not using the Cloud ? This is quite common now as the social networks uses cloud.

  • Cloud and SME : Perfect But Requires Knowledge

    Cloud and SME is often appears a good option because the budgets are reduced, often absent and a substantial contribution to the company’s balance sheet.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Proxy Server: Design Pattern in Programming January 30, 2023
  • Cyberpunk Aesthetics: What’s in it Special January 27, 2023
  • How to Do Electrical Layout Plan for Adding Smart Switches January 26, 2023
  • What is a Data Mesh? January 25, 2023
  • What is Vehicular Ad-Hoc Network? January 24, 2023

About This Article

Cite this article as: Abhishek Ghosh, "Generate CSR, Private Key With SHA256 Signature," in The Customize Windows, September 23, 2014, January 31, 2023, https://thecustomizewindows.com/2014/09/generate-csr-private-key-with-sha256-signature/.

Source:The Customize Windows, JiMA.in

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT