How to convert a SHA256RSA signed Server certificate to SHA1RSA?

Question

I am generating a private key with tomcat keystore. After the certificate request is generated and submitted, the server certificate seems to have signature SHA256RSA algorithm and eventually gives a "cannot establish chain from reply error". The root and intermediate certificates are all SHA1RSA. While generating the key pair and certificate request it has been specified as SHA1RSA to be the signature algorithm.

Could anyone assist as in how to generate the server certificate with SHA256RSA?

Here are the steps I followed (broken into multiple lines for readability):

keytool -genkey -dname "CN=xxxx, OU=Servers, O=xx, C=US" \
    -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keysize 2048 \
    -keypass xxx -keystore tomcat2k.keystore

keytool -certreq -v -alias tomcat -keyalg RSA -sigalg SHA1withRSA \
    -keysize 2048 -keypass xxx -file certreq.csr -keystore tomcat2k.keystore

Certificates received: Root, Intermediate (Both SHA1RSA), and Sever(SHA256RSA) Root.

Intermediate gets imported. Server Certificate fails to establish the chain.

There is something missing. Who is processing your CSR and sending you a sever cert? A CA? — Richard Brightwell, Dec 08 '15 at 02:35

score 0 · Answer 1 · answered Apr 20 '15 at 07:51

If you have access to openssl, I recommend to use that instead of keytool. If you generate a certificate signing request, use the option -sha256 to set the hashing algorithm you are looking for.

First generate a certificate signing request:

$ openssl genrsa -des3 -out server.key 4096
$ openssl req -new -key server.key -out server.csr -sha256

Have the certificate signing request signed by you CA of choice. If you want a self signed certificate you can use the following, otherwise skip this step:

$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 365 -key ca.key -out ca.pem
$ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem

Finally, convert the certificates signed server.pem certificate to p7b, which is what tomcat expects, and then import the p7b in the tomcat keystore.

$ openssl crl2pkcs7 -nocrl -certfile server.pem -out tomcat2k.p7b -certfile ca.pem
$ keytool -import -trustcacerts -alias server -file tomcat2k.p7b -keystore tomcat2k.jks

How to convert a SHA256RSA signed Server certificate to SHA1RSA?

1 Answers1