aspose file tools*
The moose likes Security and the fly likes Create SHA2 CSR with keytool Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Create SHA2 CSR with keytool" Watch "Create SHA2 CSR with keytool" New topic
Author

Create SHA2 CSR with keytool

Adriaan Mutter
Greenhorn

Joined: Jun 16, 2011
Posts: 2

I need to create a Certificate Signing Request for a server certificate with an SHA2 algortime.
I created one using keytool in the JAVA6 jre
with the following command: keytool -genkeypair -alias myKeyPairSha2 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore myKeystore

The CA is now complaining it isn't a SHA2 certificate.
I checked it myself at http://certlogik.com/decoder/ and it say Signature Algorithm: sha1WithRSAEncryption

I downloaded Java7 JRE and tried it with that keytool and the same command
gave an Signature Algorithm: sha256WithRSAEncryption

Since my server is running JAVA6 I don't want to use a certificate created with JAVA7 (which isn't even supported yet)

Can anybody help me creating a SHA2 CSR with java6




James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Adriaan Mutter wrote:
Since my server is running JAVA6 I don't want to use a certificate created with JAVA7 (which isn't even supported yet)


A certificate is not tied to a particular version of the JRE/JDK so if the CSR created with Java 7 is accepted by the CA then what is the problem?


Retired horse trader.
 Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Adriaan Mutter
Greenhorn

Joined: Jun 16, 2011
Posts: 2

The question is how to create a CSR using the java6 Keytool.
There's no problem creating a sha2certificate since it also can be done with a lot of other tools.

I want a. to understand why java6 keytool won't create a sha2 while java7 keytool will
b. to be sure the certificate can be used on the webserver (WebLogic Server V10.3.0.0)

BTW:
The formal CSR is created by an admin in the company I work for
they don't have a java7 installation
and I don't know wether they will agree with creating a CSR with tooling they don't support
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Adriaan Mutter wrote:The question is how to create a CSR using the java6 Keytool.
There's no problem creating a sha2certificate since it also can be done with a lot of other tools.

I want a. to understand why java6 keytool won't create a sha2 while java7 keytool will
b. to be sure the certificate can be used on the webserver (WebLogic Server V10.3.0.0)

BTW:
The formal CSR is created by an admin in the company I work for
they don't have a java7 installation
and I don't know wether they will agree with creating a CSR with tooling they don't support


Since Java7 produces a valid CSR, the failure of Java6 to produce a valid CSR simply sounds like a bug in Java6 keytool that has just been fixed in Java7. Have you checked the bug database? If not do so and if you do not find a bug report matching your problem then you should raise one against Java6 keytool.

If the CA accept a CSR created using Java7 then what would make the WebLogic Server reject the issued certificate? As I said, nothing in a CSR ties it or the resulting certificate to any Java version. Since you seem uncomfortable using beta software (in your shoes I probably would be) then ask your admin what tool they normally use for creating CSRs (I use OpenSSL to create CSR and certificates but I'm not a the mercy of an admin and I don't use SHA256 for my CSRs).

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Create SHA2 CSR with keytool