[How to] Change signature algorithm in SSL certificate signing request from SHA-1 to SHA-2 in Plesk 12.0?

Created:

2016-11-16 12:43:09 UTC

Modified:

2017-04-24 11:03:08 UTC

3

Was this article helpful?


Have more questions?

Submit a request

[How to] Change signature algorithm in SSL certificate signing request from SHA-1 to SHA-2 in Plesk 12.0?

Applicable to:

  • Plesk for Windows
  • Plesk for Linux

Question

How to switch from SHA-1 to SHA-2 for Certificate Signing Request in Plesk 12.0? This is required as per PayPal vulnerability alert:

https://devblog.paypal.com/paypal-ssl-certificate-changes/

https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US

Or, because the following error is shown when trying to order certificate from CA with a Plesk CSR:

[CODE: 2038] [MESSAGE: After 12/31/2016, most browsers will not trust certificates that use SHA1. Use SHA2 instead.]
Cannot parse CSR.

Answer

Edit /usr/local/psa/admin/conf/openssl.cnf file (for Linux) or %plesk_dir%\\admin\\conf\\openssl.cnf flie (for Windows) by adding default_md = sha256 line into [req] section, so the [req] section looks like:

[ req ]

attributes=req_attributes
distinguished_name=req_distinguished_name
default_md = sha256

List of known browsers, mobile devices, and servers supporting SHA-256 can be obtained from SHA-256 compatibility article .

Note that by default OpenSSL is using SHA1 in CSR certificate request

To check if the website is using SHA1 or SHA2 use the following command:

echo | openssl s_client -connect example.com:443 -servername example.com | openssl x509 -text | grep 'Signature Algorithm'

The output for SHA1 :

Signature Algorithm: sha1WithRSAEncryption

The output for SHA2 :

Signature Algorithm: sha256WithRSAEncryption
Have more questions? Submit a request

4 Comments

  • 0
    Avatar
    ayush kabra

    I have tried the same but did not work for me..It's generating from SHA-1 only.Can you please help me more?

  • 0
    Avatar
    Anton Maslov

    Hi Ayush, that Plesk version, OS do you have?

  • 0
    Avatar
    ayush kabra

    Hi Anton,

     

    I am using Solaris 10. On which i am using openssl 'OpenSSL 0.9.7d 17 Mar 2004' version.

  • 0
    Avatar
    Anton Maslov

    @Ayush, are you using Plesk 12.0 on Solaris 10? 

Please sign in to leave a comment.