For testing purposes only, SHA2 certificates can be generated with the "make" scripts that are supplied with XCOM r11.6 SP02. Here is what to do:
- Modify the "default_md=" parameter in the [req] section of the cassl.conf, clientssl.conf and serverssl.conf files in the %XCOM_HOME%\ssl directory. The value by default is "sha1". Change it to "sha256". The "default_md=" parameter can be found multiple times in the cassl.conf file. Make sure to modify the value for each parameter found.
- Modify the "default_bits=" parameter in the [req] section of the cassl.conf, clientssl.conf and serverssl.conf files in the %XCOM_HOME%\ssl directory. The value by default is "1024". Change it to "2048". Note: The value in the cassl.conf defaults to "2048".
- Modify the sample "makeclient.bat" and "makeserver.bat" to indicate that the certificates will be 2048 bit by changing the "rsa:1024" to "rsa:2048" on the openssl command:
e.g. openssl req -newkey rsa:2048 -out serverreq.pem -outform PEM -config serverssl.conf
- Now you can run the sample "make" scripts on your system
- Issue the "listca", "listclient" and "listserver" scripts to check the "Signature Algorithm: sha256WithRSAEncryption" on the certificates.
We want to strongly stress that this is for testing purposes only. You need to contact your Security Administrator to determine your sites security specifications in order to handle SSL certifcates. They may provide you with actual certificates for your production systems.The "make" scripts are SAMPLE scripts that you can modify and maintain for testing purposes.