I need to create a Certificate Signing Request for a server certificate with an SHA2 algortime.
I created one using keytool in the JAVA6 jre
with the following command: keytool -genkeypair -alias myKeyPairSha2 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore myKeystore
The CA is now complaining it isn't a SHA2 certificate.
I checked it myself at http://certlogik.com/decoder/ and it say Signature Algorithm: sha1WithRSAEncryption
I downloaded Java7 JRE and tried it with that keytool and the same command
gave an Signature Algorithm: sha256WithRSAEncryption
Since my server is running JAVA6 I don't want to use a certificate created with JAVA7 (which isn't even supported yet)
Can anybody help me creating a SHA2 CSR with java6
Adriaan Mutter wrote:The question is how to create a CSR using the java6 Keytool.
There's no problem creating a sha2certificate since it also can be done with a lot of other tools.
I want a. to understand why java6 keytool won't create a sha2 while java7 keytool will
b. to be sure the certificate can be used on the webserver (WebLogic Server V10.3.0.0)
The formal CSR is created by an admin in the company I work for
they don't have a java7 installation
and I don't know wether they will agree with creating a CSR with tooling they don't support
Since Java7 produces a valid CSR, the failure of Java6 to produce a valid CSR simply sounds like a bug in Java6 keytool that has just been fixed in Java7. Have you checked the bug database? If not do so and if you do not find a bug report matching your problem then you should raise one against Java6 keytool.
If the CA accept a CSR created using Java7 then what would make the WebLogic Server reject the issued certificate? As I said, nothing in a CSR ties it or the resulting certificate to any Java version. Since you seem uncomfortable using beta software (in your shoes I probably would be) then ask your admin what tool they normally use for creating CSRs (I use OpenSSL to create CSR and certificates but I'm not a the mercy of an admin and I don't use SHA256 for my CSRs).