I needed to renew the certificate for my server and the certificate request (CSR) needed to be 2048 bits and SHA-2. My server is a RHEL (RedHat Enterprise Linux) system, so there is a Makefile in /etc/pki/tls/certs that should do the trick. However, I had a devil of a time. Here’s what finally worked.
First, I added “-sha256” to the openssl command line in the Makefile. (Sha-2 is a family of cryptographic hash functions, and SHA-256 is in that family.) Here is the relevant entry in the Makefile:
$(CSR): $(KEY) umask 77 ; \ /usr/bin/openssl req -sha256 $(UTF8) -new -key $(KEY) -out $(CSR)
In the Makefile, there are lines that specify where the private key file is/should be and where the CSR file is/should be
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
It’s the private key that needs to be 2048 bits. I think I had one that was 2048 bits, but I think I also had an older one that was smaller (probably 1024). The .key file doesn’t label itself with its length, but I noticed that the two files differed in length:
root@tempest private] ls -l *.key -r--------. 1 root root 1737 Apr 13 2014 cs.wellesley.edu.key -r--------. 1 root root 916 Jan 26 2014 localhost.key
The “make genkey” command said nothing needed to be done, but generating a csr using “make certreq” produced a CSR file that the signing authority rejected (too few bits). So, I edited the Makefile to point to the longer .key file and generated a new certreq. That one seems to have worked.
