whird.jpope.org cover image

StartSSL SHA256 Certs

This is mostly a FYI (and for myself to remember) post. If you use StartSSL to provide your certs (the free certs, class1), you may want (at least eventually) to update your StartSSL intermediate certs from the sha1 certs to the sha256 certs. The sha1 certs are at: https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem The sha256 certs are at: https://www.startssl.com/certs/ca-sha2.pem https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem And then use these sha256 certs as you would with the sha1 certs. On the next round of cert updating that I do for my domains, I have created a new csr with the -sha256 flag so that when I request new certs, they will be sha256. The command I used to generate the new key and csr: openssl req -sha256 -new -newkey rsa:4096 -nodes -keyout <name>.key -out <name>.csr I set up a testing page for my SSLLabs testing. Aside from the OSCP errors due to putting the new certs in today (2014.11.17), everythin…