Google has announced a sunset for SHA-1 certificate signatures in Chrome. SHA-2 (aka SHA-256, SHA-384, and SHA-512) is the remaining option for certificate signatures. I decided to upgrade my certificates to SHA-2 (256 bits). However, when I tried to use
tinyca2 to generate a SHA-2 certificate, I found it was not supported.
tinyca2 is a Perl package, I looked at the code to see how difficult it would be to update. The code is easy to read and well modularized. Adding the SHA-2 involves changes to the
OpenSSL components. I updated six files, although support can be added with fewer.
Patches are attached at the end of this post. An additional patch to apply the selected digest when creating sub-CAs (thanks to Cédric Dufour) has been included.