This might be me having done it wrong. I recently used OpenSSL to convert a .cer to .pem using this –
openssl x509 -inform der -in certificate.cer -out certificate.pem
(And then loaded the .pem onto the loadbalancer)
However the client browser (chrome) reports it's SHA-1 and although it works, (connectivity wise) it doesn't look good. Plus SHA-1 is old/being phased out.
Is this because of the openssl command I used? Should I have used -sha256 in my openssl command (from a quick googling around)
As you can tell, bit new to certificates!
Best Answer
The "SHA-1" or "SHA-256" mentioned in Chrome is the hash that was used by the CA (Certification Authority) to create the signature on the certificate. The command you ran doesn't change the certificate at all, it merely changes the file format used (
.cer
is just the raw ASN.1 encoded certificate data;.pem
is a base64-encoded form of the same ASN.1 data). The hashing scheme used for the signature is unrelated to the file formats.If you want a SHA-256 certificate, you'll need to have one issued by a CA. These days, it's pretty much guaranteed that you'll get a SHA-256 certificate, because SHA-1 is very, very deprecated (hence why Chrome is warning you about it).