Convert cert .cer to .pem via OpenSSL plus using SHA-256

self-signed-certificatessl-certificate

This might be me having done it wrong. I recently used OpenSSL to convert a .cer to .pem using this –

openssl x509 -inform der -in certificate.cer -out certificate.pem

(And then loaded the .pem onto the loadbalancer)

However the client browser (chrome) reports it's SHA-1 and although it works, (connectivity wise) it doesn't look good. Plus SHA-1 is old/being phased out.

Is this because of the openssl command I used? Should I have used -sha256 in my openssl command (from a quick googling around)

As you can tell, bit new to certificates!

Best Answer

The "SHA-1" or "SHA-256" mentioned in Chrome is the hash that was used by the CA (Certification Authority) to create the signature on the certificate. The command you ran doesn't change the certificate at all, it merely changes the file format used (.cer is just the raw ASN.1 encoded certificate data; .pem is a base64-encoded form of the same ASN.1 data). The hashing scheme used for the signature is unrelated to the file formats.

If you want a SHA-256 certificate, you'll need to have one issued by a CA. These days, it's pretty much guaranteed that you'll get a SHA-256 certificate, because SHA-1 is very, very deprecated (hence why Chrome is warning you about it).

Related Solutions

How to convert a .cer certificate to .pem

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Source

SSL Error – unable to read server certificate from file

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.