How To Change The Zentyal Certificate Algorithm From SHA-1 To SHA256

How To Change The Zentyal Certificate Algorithm From SHA-1 To SHA256

Get Social!

logo-zentyal-blackAs of Zentyal version 4.2 the bundled certificate authority (CA) module is creating signed certificates using the SHA-1 algorithm which is an old algorithm and pretty much deprecated.

Google Chrome, for example, will give a warning when accessing any SSL page that’s encrypted stating that your connection is not secure.

SSL Certificates created now should, as a minimum, use the the SHA256 algorithm to ensure encrypted connections are kept private. To change Zentyal to use the SHA256 algorithm, you’ll need to make a small edit to your openssl.cnf file.

And look for default_md within the file. It will currently show as sha1 like below:

Edit the value and enter sha256.

You’ll then need to log into the Zentyal Admin site and revoke and re-issue all of your sha1 certificates.

I’ve submitted a pull request on Github to have the default changed for new installations.

OpenSSL Certificate Cheat Sheet

Get Social!

openssl-logoThese commands cover the basics of OpenSSL and are valid for either Windows or Linux with the exception that paths may need to be corrected for the respective platform.

Install OpenSSL

For windows

For Ubuntu

Create Private Key

The last argument in the below line is the key length. This can be changed to 2048 or 4096 if required for better encryption.

Generate a CSR (Certificate Signing Request)

You will be asked for the details of the certificate such as domain name and address when running this command.

Remove Passphrase from Key

Some applications do not allow for the private key to have a passphrase. The below commands will remove the passphrase – be careful as it will mean the key is no longer protected and can be viewed by anyone with read access to the file.

Generating a Self-Signed Certificate

Once you have generated a key and CSR you will need to sign the request and generate the public certificate. If you do not have a certificate authority you can sign the certificate yourself. The below will generate a certificate which is valid for one year.

Convert x509 to pem

pkcs12 to pem – key only

Use the below command to extract only the key from a pkcs12 certificate.

pkcs12 to pem – certificate only

Use the below command to extract only the public certificate from a pkcs12 certificate.

Check a private key

You can check a private key with the below command.

Check a certificate

Use the below command to check a certificate.


Bash Script to Create an SSL Certificate Key and Request (CSR)

Category : How-to

Get Social!

padlockCreating multiple SSL certificates for web servers and application can be a repetitive task. Generally speaking, when creating these things manually you would follow the below steps:

  • Create a certificate key.
  • Create the certificate signing request (CSR) which contains details such as the domain name and address details.
  • Sign the certificate
  • Install the certificate and key in the application.

If nothing else, typing out the address and organisation for every certificate can be laborious.

The below script allows you to hard code many of the details to avoid the repetition and only specify the domain name as an argument. The script is dependent on openssl which can be installed using your distributions package manger or from their website. Use apt-get on Debian/ Ubuntu:

Once you have openssl installed, copy the below script to a file called gen-cer.

Make sure your script has execute permissions.

You can then call the script with ./gen-cer and specify your domain name as an argument. For example:

The script will then output the key as well as the CSR which you will need to submit to your certificate authority (CA).

Visit our advertisers


Quick Poll

Do you use ZFS on Linux?

Visit our advertisers