From ba782baac3009e44295589743bb8ae8220793e74 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 19 Sep 2018 09:04:48 +0200 Subject: certs: generate tests certs with sha256 digest algorithm As OpenSSL 1.1.1 starts to complain and fail on sha1 CAs: "SSL certificate problem: CA signature digest algorithm too weak" Closes #3014 --- tests/certs/scripts/genroot.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'tests/certs/scripts/genroot.sh') diff --git a/tests/certs/scripts/genroot.sh b/tests/certs/scripts/genroot.sh index 4d2118aae..5dd9fac95 100755 --- a/tests/certs/scripts/genroot.sh +++ b/tests/certs/scripts/genroot.sh @@ -17,6 +17,8 @@ cd $HOME KEYSIZE=2048 DURATION=6000 +# The -sha256 option was introduced in OpenSSL 1.0.1 +DIGESTALGO=-sha256 PREFIX=$1 if [ ".$PREFIX" = . ] ; then @@ -46,9 +48,9 @@ openssl genrsa -out $PREFIX-ca.key $KEYSIZE -passout pass:secret echo "openssl req -config $PREFIX-ca.prm -new -key $PREFIX-ca.key -out $PREFIX-ca.csr" $OPENSSL req -config $PREFIX-ca.prm -new -key $PREFIX-ca.key -out $PREFIX-ca.csr -passin pass:secret -echo "openssl x509 -set_serial $SERIAL -extfile $PREFIX-ca.prm -days $DURATION -req -signkey $PREFIX-ca.key -in $PREFIX-ca.csr -out $PREFIX-$SERIAL.ca-cacert -sha1 " +echo "openssl x509 -set_serial $SERIAL -extfile $PREFIX-ca.prm -days $DURATION -req -signkey $PREFIX-ca.key -in $PREFIX-ca.csr -out $PREFIX-$SERIAL.ca-cacert $DIGESTALGO " -$OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-ca.prm -days $DURATION -req -signkey $PREFIX-ca.key -in $PREFIX-ca.csr -out $PREFIX-$SERIAL-ca.cacert -sha1 +$OPENSSL x509 -set_serial $SERIAL -extfile $PREFIX-ca.prm -days $DURATION -req -signkey $PREFIX-ca.key -in $PREFIX-ca.csr -out $PREFIX-$SERIAL-ca.cacert $DIGESTALGO echo "openssl x509 -text -in $PREFIX-$SERIAL-ca.cacert -nameopt multiline > $PREFIX-ca.cacert " $OPENSSL x509 -text -in $PREFIX-$SERIAL-ca.cacert -nameopt multiline > $PREFIX-ca.cacert -- cgit v1.2.3