Keytool keeps giving SHA256 sigalg instead of requested alg

Question

I am using Keytool in java to generate a keystore/CSR to submit to a certificate Authority.

My CA only supports MD5withRSA and SHA1withRSA

Everytime I use keytool to create the keystore and export the CSR I am getting a SHA256withRSA signature Algorithm.

I've tried manually setting the -sigalg but it keeps going to sha256 everytime whether i try to set it to md5 or sha1

Can someone advise me on what I'm doing wrong

keytool -genkey -alias server -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore www_mydomain_com.jks -dname "CN=www.mydomain.com,OU=it, O=mycompany, L=thecity, ST=thestate, C=US" && keytool -certreq -alias server -file www_mydomain_com.csr -keystore www_mydomain_com.jks

keytool -genkey -alias server -keyalg RSA -sigalg MD5withRSA -keysize 2048 -keystore www_mydomain_com.jks -dname "CN=www.mydomain.com,OU=it, O=mycompany, L=thecity, ST=thestate, C=US" && keytool -certreq -alias server -file www_mydomain_com.csr -keystore www_mydomain_com.jks

Both commands create a csr that shows SHA256withRSA

Yes, the accepted answer solved the issue for me. The problem was the CSR generation part of the command did not specify the sigalg. — Moylin, Dec 03 '20 at 00:08

score 6 · Accepted Answer · answered Jan 04 '13 at 20:20

6

You should add -sigalg SHA1WithRSA parameter to the second keytool call, where CSR is actually generated.

answered Jan 04 '13 at 20:20

Nickolay Olshevsky

13,706
1
34
48

score 3 · Answer 2 · answered Feb 05 '15 at 20:13

3

$ keytool -genkey -alias selfsignedcert -keyalg RSA -sigalg SHA1withRSA -keypass privatepassword -keystore identity.jks -storepass password -validity 365

answered Feb 05 '15 at 20:13

user3123372

704
1
10
26

4

Can you add some explanation about what the asker was doing wrong, and why your answer is correct? – Oblivious Sage Feb 05 '15 at 20:48

score 2 · Answer 3 · edited Oct 21 '15 at 11:13

2

You have to assign the sigalg when you create the CSR (not the keystore):

$ keytool -certreq -alias <alias> -keystore <keystore>.jks -file <file>.csr -sigalg SHA1WithRSA

edited Oct 21 '15 at 11:13

Soner Gönül

97,193
102
206
364

answered Oct 21 '15 at 11:10

MGuppy

21
1

score 0 · Answer 4 · answered Jan 12 '17 at 03:09

0

sha1 is already expired and valid only til 2016. You have to upgrade to sha2. Try it and let me know if that solves your problem. -Jed A

answered Jan 12 '17 at 03:09

Jed A

1

1

This post isn't an actual attempt at answering the question. Please note [StackOverflow doesn't work like a discussion forum](http://stackoverflow.com/tour), it is a Q&A site where every post is either a question or an answer to a question. Posts can also have [comments](http://stackoverflow.com/help/privileges/comment) - small sentences like this one - that can be used to critique or request clarification from an author. This should be either a comment or a [new question](http://stackoverflow.com/questions/ask) – ρяσѕρєя K Jan 12 '17 at 03:14
1

@ρяσѕρєяK someone with only 1 rep can't comment. – Phil Mar 19 '17 at 22:40

Keytool keeps giving SHA256 sigalg instead of requested alg

4 Answers4