You need to add/change the "default_md" for the "req" section. You are probably changing the value in "CA_default" section and thats why its not reflecting in your certificate. Heres what needs to be done in openssl.cnf file.
[ req ] <SNIP> default_md = sha1 <SNIP> -Sandeep On Mon, Oct 26, 2009 at 2:12 AM, Madhu <mkou...@rediffmail.com> wrote: > Hello, > > I want to generate a self signed certificate that uses 'sha1RSA' as > signature algorithm. > > I tried changing the default signature algorithm in OpenSSL config file > (default_md), but there is no effect of the change on the certificate. The > certificate shows 'md5RSA' as the signature algorithm. > > Appreciate any help on how to achieve this. > > Here are the detailed steps for your reference. > 1) vi /etc/sfw/openssl/openssl.cnf > 2) Original: default_md=md5. Modified this to default_md=sha1 > 3) Restarted the system > 4) Gave the following commands > /usr/sfw/bin/openssl genrsa 1024 > host.key > chmod 400 host.key > /usr/sfw/bin/openssl req -new -x509 -days 365 -key host.key > host.cer > 5) Irrespective of the value for "default_md" in the openssl.cnf file, the > signature algorithm is specified as "md5RSA" in the certificate. > 6) When I give the following command, the sha1 signature algorithm is used, > however changing to the following command introduces lot of additional > dependencies in my code. > /usr/sfw/bin/openssl req -new -x509 -sha1 -days 365 -key host.key > > host.cer > 7) Version of OpenSSL used is 0.9.7d 17 Mar 2004 (+ security patches to > 2006-09-29) on a Solaris 10 machine with kernel patch id 137138-09. > 8) I've performed a truss and dtrace to find the value read from the config > file, but was not able to view the values for config parameters. > > Thanks > Madhu > > madhu > > > <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline....@middle?>