Google Inc. has recently announced that they are going to start the preparation of reports will deal with this SSL certificates that have been signed with SHA-1 hash security presence is less than that which occurred with the latest and highest power hashes, such as SHA-256 or SHA-512. Here Let us see that how to Generate a certificate request with the openssl signature SHA256.
Google’s announcement can be found here at
Technically there is nothing really wrong with the SHA-1 hash function, but it is quite old and is starting to show potential cracks.Because of this the security industry is advising to move to something better which can be do much better . In this case SHA-256.
1. Generate a SSL Key File
As a first step you have to generate a key file. The example below will generate a 2048 bit key file with a SHA-256 signature.
openssl genrsa -out key_name.key 2048
If you want extra security always you could increase the bit lengths.
openssl genrsa -out key_name.key 4096
*note : these examples will not add a password to the key file. To do that you will need to add -des3 to the command.
2. Create a Certificate Signing Request (CSR)
This step will create the actually request file that you will submit to the Certificate Authority (CA) of your choice.
openssl req -out CSR.csr -key key_name.key -new -sha256
You can check that your Certificate Signing Request (CSR) has the correct signature by running the following.
openssl req -in CSR.csr -noout -text
It should display the following whether the signature is correct or not.
Signature Algorithm: sha256WithRSAEncryption
3. Install the Certificate (CRT)
This step is very dependant of the software you use and I won’t really cover. All I will say is that these certificates are supported by a multitude of software, including Apache HTTPD and NGINX.
and Test your installed Certificate
you can refer http://dotnetstock.com/technical/how-to-generate-a-sha256-certificate-and-how-to-install-sha256-certificate-in-iis/. This will help you to understand more.