OpenSSL CSR with SHA2

TL;DR

Yes, you can create a Certificate Signing Request (CSR) using OpenSSL with SHA2 hashing algorithms. This guide shows you how.

Generating an OpenSSL CSR with SHA2

1. Check OpenSSL Version: Ensure your OpenSSL version supports SHA2. Versions 1.0.1 and later generally do. You can check this using:

   openssl version

2. Create a Private Key: If you don’t already have one, generate a private key.

   openssl genrsa -out example.key 2048

   This creates a 2048-bit RSA private key named example.key. You can increase the bit length for stronger security (e.g., 4096).

3. Generate the CSR: Use the following command to create the CSR, specifying SHA256 as the hashing algorithm.

   openssl req -new -key example.key -out example.csr -sha256

   This will prompt you for information like country code, state, locality, organisation name, common name (your domain), etc. Fill these in accurately.

4. Verify the CSR: Check the CSR to confirm it uses SHA256.

   openssl req -text -noout -in example.csr

   Look for the line starting with Signature algorithm. It should say something like:

   Signature algorithm: sha256WithRSAEncryption

5. Alternative SHA2 Algorithm (SHA384): You can also use SHA384.

   openssl req -new -key example.key -out example.csr -sha384

   Verify as in step 4, looking for:

   Signature algorithm: sha384WithRSAEncryption

6. Important Considerations:
   • The Certificate Authority (CA) you’re submitting the CSR to must support SHA2. Most modern CAs do, but it’s always best to check their requirements first.
   • Keep your private key very secure. Do not share it with anyone!