Neues Thawte Zertifikat: Fehler „Your CSR uses an unsupported signature digest algorithm“

Beim Importieren des neuen CSRs bei Thawte bekommt man diesen Fehler:
Your CSR uses an unsupported signature digest algorithm. 
Regenerate your DSA CSR using SHA-256 or your RSA CSR 
using SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512 or ECC CSR using SHA-256.
 Screenshot_2015.08.27_10h16m36s_005_
 Abhilfe:
1. Feststellen, ob mit der OpenSSL Version SHA2 Zertifikate möglich sind:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\xampp\apache\bin>openssl
WARNING: can't open config file: C:\OpenSSL-Win32\bin\openssl.cfg
OpenSSL> dgst --help
unknown option '--help'
options are
-c              to output the digest with separating colons
-r              to output the digest in coreutils format
-d              to output debug info
-hex            output as hex dump
-binary         output in binary form
-sign   file    sign digest using private key in file
-verify file    verify a signature using public key in file
-prverify file  verify a signature using private key in file
-keyform arg    key file format (PEM or ENGINE)
-out filename   output to filename rather than stdout
-signature file signature to verify
-sigopt nm:v    signature parameter
-hmac key       create hashed MAC with key
-mac algorithm  create MAC (not neccessarily HMAC)
-macopt nm:v    MAC algorithm parameters or key
-engine e       use engine e, possibly a hardware device.
-md4            to use the md4 message digest algorithm
-md5            to use the md5 message digest algorithm
-mdc2           to use the mdc2 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm
-sha            to use the sha message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-whirlpool      to use the whirlpool message digest algorithm
error in dgst
OpenSSL>

Der Schalter -sha256 besagt, dass dies möglich ist.

2. Jetzt muss man nur die openssl.conf anpassen, Zeile 3:

default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering

 

Weitere Infos:

http://techglimpse.com/sha256-hash-certificate-openssl/