Keytool keeps giving SHA256 sigalg instead of requested alg

Question

I am using Keytool in java to generate a keystore/CSR to submit to a certificate Authority.

My CA only supports MD5withRSA and SHA1withRSA

Everytime I use keytool to create the keystore and export the CSR I am getting a SHA256withRSA signature Algorithm.

I've tried manually setting the -sigalg but it keeps going to sha256 everytime whether i try to set it to md5 or sha1

Can someone advise me on what I'm doing wrong

keytool -genkey -alias server -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore www_mydomain_com.jks -dname "CN=www.mydomain.com,OU=it, O=mycompany, L=thecity, ST=thestate, C=US" && keytool -certreq -alias server -file www_mydomain_com.csr -keystore www_mydomain_com.jks

keytool -genkey -alias server -keyalg RSA -sigalg MD5withRSA -keysize 2048 -keystore www_mydomain_com.jks -dname "CN=www.mydomain.com,OU=it, O=mycompany, L=thecity, ST=thestate, C=US" && keytool -certreq -alias server -file www_mydomain_com.csr -keystore www_mydomain_com.jks

Both commands create a csr that shows SHA256withRSA

Answer 1

You should add -sigalg SHA1WithRSA parameter to the second keytool call, where CSR is actually generated.

Answer 2

$ keytool -genkey -alias selfsignedcert -keyalg RSA -sigalg SHA1withRSA -keypass privatepassword -keystore identity.jks -storepass password -validity 365

Answer 3

You have to assign the sigalg when you create the CSR (not the keystore):

$ keytool -certreq -alias <alias> -keystore <keystore>.jks -file <file>.csr -sigalg SHA1WithRSA

Answer 4

sha1 is already expired and valid only til 2016. You have to upgrade to sha2. Try it and let me know if that solves your problem. -Jed A