openSSL how to sign a certificate with SHA256

Question

I would like to know how to use the openSSL tools to sign a certificate signing request with sha256 as the message digest.

I don't quite understand if the digest is already computed in the request, or if it is computed by the CA.

For creating the request, the tool req allows to specify which message digest to use, and -sha256 is an option.

However, for signing the requests, openSSL provides two tools: ca and x509. However, none of those allow for using sha256. According to the official documentation, ca only supports md5, sha1 and mdc2. x509 only supports md2, md5, sha1, mdc2.

Thank you.

Answer 1

I think the documentation might be old, actually. I believe it works, although it may or may not use the -md switch. Have you tried it, yet?

According to this thread, sha2 support was included by default awhile ago. So there's no reason it shouldn't work.

Indeed, this thread shows a user using -md sha256 with a ca command.

Also, this thread seem to corroborate the the sha256 switch can be enabled in the openssl.cnf file as the default_md for the CA.

And this thread shows some issues with the --help documentation.

Good luck!