Using SHA-2 algorithm to generate the self-signed certificate
By default, the openssl
command uses the
SHA-1 algorithm to generate the self-signed certificate on the PCA.
Optionally, you can use SHA-2 for the digital signature hash by
adding the -sha256
option, as in the following command:
Note: The following command is supported in PCA Build 3500 or later.
/usr/local/ctccap/bin/openssl req -x509 -sha256 -days 365 -newkey rsa:2048 \
-key example.key -out example.crt
If you are not PCA Build 3500 or later, you can be able to generate the SHA-2 key on another Linux system. To determine whether it is possible, run the following command in a non-PCA environment:
openssl dgst ?h
The following line can be displayed in the generated output:
-sha256 to use the sha256 message digest algorithm
If the previous command is displayed, then the Linux installation accepts the SHA-2 option. You can run the following command without providing the PCA-specific path:
openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -key example.key -out \
example.crt