如何在 openssl 中创建 sha256 指纹 [英] How can I create a sha256 fingerprint in openssl

问题描述

我想sha256指纹 使用openssl.我试过了，但你必须sha1.我该怎么办?

I want to sha256 the fingerprint Use the openssl. I tried, but you have to sha1. What will i do?

我使用的是 OpenSSL 1.0.1f.

I'm using OpenSSL 1.0.1f.

命令

openssl md5 * >rand.dat

openssl genrsa -rand rand.dat -aes256 2048 > server.key

openssl req -new -key server.key -sha256 -config openssl.cfg > server.csr

openssl x509 -fingerprint -sha256 -in server.csr -req -signkey server.key -extensions v3_req -extfile openssl.cfg -out server.cer

改成默认如下:

[ CA_default ]
default_md  = sha256    # Change

[ req ]
req_extensions = v3_req     # Uncomment

推荐答案

如何在openssl中创建sha256指纹

How can I create a sha256 fingerprint in openssl

-sha256 正确.

您如何与您的证书颁发机构签署 OpenSSL 证书签名请求?.

根据反馈，使用 -fingerprint 时，SHA1 似乎是硬编码的.以下来自 <openssl dir>/apps/x509.c(所有 OpenSSL 应用程序，如 ca、x509、encrypt、decrypt 等位于 apps/ 中).从 x509.c 的第 935 行开始:

Based on the feedback, it appears SHA1 is hard coded when using -fingerprint. Below is from <openssl dir>/apps/x509.c (all OpenSSL apps, like ca, x509, encrypt, decrypt, etc are located in apps/). From around line 935 of x509.c:

else if (fingerprint == i)
    {
    int j;
    unsigned int n;
    unsigned char md[EVP_MAX_MD_SIZE];
    const EVP_MD *fdig = digest;

    if (!fdig)
        fdig = EVP_sha1();

    if (!X509_digest(x,fdig,md,&n))
        {
        BIO_printf(bio_err,"out of memory\n");
        goto end;
        }
    BIO_printf(STDout,"%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(fdig)));
    ....

至于const EVP_MD *fdig =digest，可以设置digest.但我不知道应该使用什么开关.从第 475 行开始:

As far as const EVP_MD *fdig = digest, digest can be set. But I can't tell what switch is supposed to be used. From around line 475:

else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
    {
    /* ok */
    digest=md_alg;
    }

对我来说，这看起来很糟糕.

That looks broke to me.

这篇关于如何在 openssl 中创建 sha256 指纹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！