Here is how to generate CSR, Private Key with SHA256 signature with OpenSSL for either reissue or new request to get SSL/TLS Certificate. We have explained the SHA or Secure Hash Algorithm in our older article. The need to throw a complete new guide to Generate CSR, Private Key With SHA256 Signature is to correct our existing older guides on Generating CSR as almost all the browsers will throw scary warning with older stuffs and OpenSSL, by default, at the time of first publishing this article uses SHA-1 Signature by default.
Generate CSR, Private Key With SHA256 Signature : Existing Customers Vs New Customers
Using SHA256 is kind of breaking change (Sunsetting SHA-1). Regarding breaking change there is a known saying :
Not possible to fix old entries without a breaking change, so remap old to new in import lib.
As the most Certificate Authority (CA) has support for reissue of a new certificate – it is quite natural to loss the private key (or for securing the server, frequent issue is recommended in certain cases), so most has this feature – at least GeoTrust has. If you are not used with the terminologies – it is Reissue Request NOT Revoking Request. It might be same for some authority for certain type of SSL Certificates. [Suggested To Read : Which SSL Certificate You Need]. In other words :
If you are an existing SSL Certificate user who used SHA-1 Signature to generate CSR or not sure what you used, before a free Reissue request, make sure that the Certificate Authority (CA) will not mark as Revoke. Revoking is a publicly available data and might impact your security policy in long term.
If Certificate Authority (CA) does not support Reissue without marked as Revoked, you need to change the Certificate Authority (CA) first. It is somewhat like the Domain Registrars. There are only 30 Certificate Authorities (CA) on this world, see the list on DMOZ. DMOZ has some usage even in 2014 ! 23 are listed. It costs around 70K USD fee and 10K USD annual fee to become a Certificate Authority (CA), providing that all the RFC Listed standards are maintained. This is the information we know via a Third Party. If you are bored with SSL Certificates, probably you’ll understand that becoming a Certificate Authority (CA) is not really a cost effective way!
Old Private Key generated with SHA-1 will work with the updated Intermediate certificates in a kind of compromised mode and not recommended way to fix the issue. SSL Certificate, essentially is not a new way to fool Google for better SERP!
Generate CSR, Private Key With SHA256 Signature : Loading Dose For The Old Victims
In case you are an old victim of SHA-1 and used to store the certificates in a path like this :
1 | /etc/nginx/ssl |
You can create a new directory named SHA256 under the old SSL directory, because it is quite likely that SHA-3 will be introduced in future, with soooo many certificates, you’ll get confused. So, new path is becoming :
1 2 | /etc/nginx/ssl/sha256 # mkdir -p /etc/nginx/ssl/sha256 |
Use the old names you used for private key, csr, key issued by CA, intermediate key and other stuffs like concatenated files. In this way, if you keep the new things under /etc/nginx/ssl/sha256, you will only require to simply edit and change the path in your web server software’s configuration, like for Nginx default settings :
1 2 3 4 5 6 7 8 | /etc/nginx/sites-available/default # for nginx, just open with ## nano /etc/nginx/sites-available/default # write out, save and do a config test ## nginx -t # if fine, just restart ## service nginx restart # these are valid if you have followed the below steps first |
---
Generate CSR, Private Key With SHA256 Signature : The Common Coding Part
So, both the new and old will use the same path, somewhat like :
1 | /etc/nginx/ssl/sha256 |
OpenSSL by default still uses (at the time of writing this guide) SHA-1 unless either – we specify to force SHA-2 with the config file or with command to generate. The reason why OpenSSL uses SHA-1, has lot of reasons, just to remind you – SHA256 is only one type of SHA-2 Signature. As practically we will not need our servers to generate nth number of SSL Certs, using command forcing SHA256 and 2048 bit key strength seems better option to us. Just update and upgrade your setup :
1 2 3 4 5 | apt-get update -y && apt-get upgrade # we are taking you are using a deb based linux server # check the version of OpenSSL openssl version # not unusual to find an old library |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | # go to /etc/nginx/ssl/sha256 cd /etc/nginx/ssl/sha256 # generate stuffs openssl req -new -newkey rsa:2048 -nodes -sha256 -out thecustomizewindows.com.csr -keyout thecustomizewindows.com.key # note the alternative command ## openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout thecustomizewindows.com.key -out thecustomizewindows.com.crt # we can add more parameters # interactive output writing new private key to 'thecustomizewindows.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: [I typed IN] State or Province Name (full name) [Berkshire]: [I typed 'West-Bengal' without '' and hit return key] Locality Name (e.g., city) [Newbury]: [I typed 'Kolkata' without ''] Organization Name (e.g., company) [My Company Ltd]: [I typed company's name, you can omit] Organizational Unit Name (e.g., section) []: [I typed website's name, you can omit] Common Name (e.g., your name or your server's hostname) []:[I typed thecustomizewindows.com, very important] Email Address []: [I typed our domain named email, very important] |
You will never require this .csr after you obtain the certificate. Please do not forget to keep a backup of these files. People often forgets where the .key file they kept. These are quite common problem with SSL certificate. These are not very secret files, as none will be used for code signing or for e-commerce purpose. For e-commerce, usually EV SSL certificate is used, steps are same, but possibly you will use a password for the private key. As domain name will not match, these files are useless outside your domain. Obviously, not very secret never means you’ll be distributing them publicly.
Do a listing of files and open the CSR file :
1 2 3 4 5 6 7 8 9 10 11 | ls # output thecustomizewindows.com.key thecustomizewindows.com.crt ## open nano thecustomizewindows.com.csr # we are sorry for the typographical error present before # and now is corrected. # .csr is the thing you'll copy for request # memorize it as csr means certificate request # copy it by highlighting all the things or # open via FTP to copy |
Now, go to your CA’s website, find the way to either request a new one or ask for a reissue. GeoTrust sends an email to check whether it is a valid request, you will need the order ID to fill the form. When you will request re-issue or fresh new one, at least for now, make sure that the Hash is selected as SHA256 or SHA2 above the CSR paste field. Then click to continue. You’ll get another email to accept. Then you’ll get another email with the new fresh certificate and intermediate certificate.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | # go to /etc/nginx/ssl/sha256 cd /etc/nginx/ssl/sha256 # generate files nano thecustomizewindows.extension # paste the content, write out, save # .extension is usually .crt # use .crt if you do not know # what you are doing # .pem is special format, encoded by software nano intermediate.extention # paste the content, write out, save # make them one if needed like for Nginx # its nothing but copy pasting the textual material # like # thecustomizewindows_with_private.com.crt |
Now open the domain config file like /etc/nginx/sites-available/default for Nginx default settings and change the path to add sha256 if you are using the same named files. Do a config test like nginx -t for Nginx and restart the server. Immediately you’ll get the result. We wrote for nginx webserver. If you want to learn about How To Install SSL Certificate on Apache2 Web Server, you can read the linked article. Basically, installing SSL certificate is easy on Ngnix. We were talking about formats like .pem in this article, actually we wrote about how to convert .crt Certificate to .pem format.
So far, it is a partial guide for even Nginx, you can read the full guide for Nginx SSL certificate installation. SSL Certificate does not cost much, tweaking demands knowledge. We said copy-pasting, SSL Certificate Authorities will say it “concatenate”. For selling stuffs, nice phrases are used! There is no difference between running cat command and copy pasting with .crt.
If you are hoping for better SERP, we can tell you at the end of November 2014, SSL or HTTPS does not increase any SERP itself. Google and Matt Cutts ate known lier, they tests various stuffs like they did with Authorship. Indeed, HTTPS blocks Ads, many man hours needed to optimize. Net gain is too low.
HSTS requires more steps. We are HSTS Preloaded listed. There are more stuffs to generate, which are written in this SSL Certificate Optimization guide. That is also full. There many more steps in front. Google wrote more secure will get priority. It is very easy to find others’ fault. We told you what we have experienced.
You can read the guide to enable OCSP Stapling on Nginx.
