Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Create SHA2 CSR with keytool

 
Adriaan Mutter
Greenhorn
Posts: 2
Firefox Browser MyEclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need to create a Certificate Signing Request for a server certificate with an SHA2 algortime.
I created one using keytool in the JAVA6 jre
with the following command: keytool -genkeypair -alias myKeyPairSha2 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore myKeystore

The CA is now complaining it isn't a SHA2 certificate.
I checked it myself at http://certlogik.com/decoder/ and it say Signature Algorithm: sha1WithRSAEncryption

I downloaded Java7 JRE and tried it with that keytool and the same command
gave an Signature Algorithm: sha256WithRSAEncryption

Since my server is running JAVA6 I don't want to use a certificate created with JAVA7 (which isn't even supported yet)

Can anybody help me creating a SHA2 CSR with java6




 
James Sabre
Ranch Hand
Posts: 781
Java Netbeans IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Adriaan Mutter wrote:
Since my server is running JAVA6 I don't want to use a certificate created with JAVA7 (which isn't even supported yet)


A certificate is not tied to a particular version of the JRE/JDK so if the CSR created with Java 7 is accepted by the CA then what is the problem?
 
Adriaan Mutter
Greenhorn
Posts: 2
Firefox Browser MyEclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The question is how to create a CSR using the java6 Keytool.
There's no problem creating a sha2certificate since it also can be done with a lot of other tools.

I want a. to understand why java6 keytool won't create a sha2 while java7 keytool will
b. to be sure the certificate can be used on the webserver (WebLogic Server V10.3.0.0)

BTW:
The formal CSR is created by an admin in the company I work for
they don't have a java7 installation
and I don't know wether they will agree with creating a CSR with tooling they don't support
 
James Sabre
Ranch Hand
Posts: 781
Java Netbeans IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Adriaan Mutter wrote:The question is how to create a CSR using the java6 Keytool.
There's no problem creating a sha2certificate since it also can be done with a lot of other tools.

I want a. to understand why java6 keytool won't create a sha2 while java7 keytool will
b. to be sure the certificate can be used on the webserver (WebLogic Server V10.3.0.0)

BTW:
The formal CSR is created by an admin in the company I work for
they don't have a java7 installation
and I don't know wether they will agree with creating a CSR with tooling they don't support


Since Java7 produces a valid CSR, the failure of Java6 to produce a valid CSR simply sounds like a bug in Java6 keytool that has just been fixed in Java7. Have you checked the bug database? If not do so and if you do not find a bug report matching your problem then you should raise one against Java6 keytool.

If the CA accept a CSR created using Java7 then what would make the WebLogic Server reject the issued certificate? As I said, nothing in a CSR ties it or the resulting certificate to any Java version. Since you seem uncomfortable using beta software (in your shoes I probably would be) then ask your admin what tool they normally use for creating CSRs (I use OpenSSL to create CSR and certificates but I'm not a the mercy of an admin and I don't use SHA256 for my CSRs).

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic