Using SHA-2 algorithm to generate the self-signed certificate

By default, the openssl command uses the SHA-1 algorithm to generate the self-signed certificate on the PCA.

Optionally, you can use SHA-2 for the digital signature hash by adding the -sha256 option, as in the following command:

Note: The following command is supported in PCA Build 3500 or later.


/usr/local/ctccap/bin/openssl req -x509 -sha256 -days 365 -newkey rsa:2048 \
  -key example.key -out example.crt

If you are not PCA Build 3500 or later, you can be able to generate the SHA-2 key on another Linux system. To determine whether it is possible, run the following command in a non-PCA environment:


openssl dgst ?h

The following line can be displayed in the generated output:


-sha256         to use the sha256 message digest algorithm

If the previous command is displayed, then the Linux installation accepts the SHA-2 option. You can run the following command without providing the PCA-specific path:


openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -key example.key -out \
  example.crt