Open Radar

 
Summary:
When generating a CSR & key pair using the Certificate Assistant in Yosemite, it is not possible to chose the SHA256 hashing algorithm. The assistant is hard-coded to use SHA1, which is being phased out by some major browser vendors because they believe it to be too weak.

Since some CA's determine the hashing algorithm of the SSL certificate they issue based on the hashing algorithm in your CSR, this can cause them to generate a certificate that is no longer considered secure enough (if they are a lousy CA with bad UI, as most are).

Steps to Reproduce:
In Keychain Access for Yosemite:

1. Go to Keychain Access > Certificate Assistant > Open...
2. Click Continue
3. Select "Request a certificate from an existing CA", then click "Continue".
4. Enter a User Email Address, a Common Name, select "Saved to disk", and check "Let me specify key pair information".
5. Save the CSR file somewhere.
6. Choose a Key Size of 2048 and an Algorithm of "RSA", then click "Continue".
7. From terminal, run 
    openssl req -text -noout -verify -in path_to_csr_file_you_just_saved | grep 'Signature Algorithm'


Expected Results:
openssl output should be:
    Signature Algorithm: sha256WithRSAEncryption


Actual Results:
    Signature Algorithm: sha1WithRSAEncryption


Version:
10.10.1 (14B25)

Notes:
Certificate Assistant should do one of the following:

A. Hard-code the wizard to SHA256 instead of hard-coding it to SHA1. Users that need to support legacy browsers and OSes that only support SHA1 can use the openssl command line tool. 
B. Allow the user to chose between SHA256 and SHA1 hashing algorithms when generating a CSR. The default should be SHA256. 

http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html