ca md too weak / CA signature digest algorithm too weak

Upon upgrading to a new version of the operating system, the clients for the SSL secured Kafka streaming system stopped working. The errors were:

SSL routines:SSL_CTX_use_certificate:ca md too weak

and later on

CA signature digest algorithm too weak

In debugging the issue, I found the following openssl command useful: openssl x509 -in cert-signed.pem -text . The command includes the specific sections about the signature: Signature Algorithm: sha256WithRSAEncryption

After going through all the certificates, it turns out the CA certificate was signed with sha256 already. So while the error message is somewhat right but pointing in the wrong direction of the CA, just the client certificates needed a stronger signature from the CA. To do so, re-perform the signing with explicitly specifying sha256. For example:

openssl x509 -req -CA ca-cert.pem -CAkey ca-key -in client-cert.csr -out client-cert-signed.pem -days 365 -CAcreateserial -passin pass:mysecret -sha256

Replacing the client certificate then pointed to the broker certificates, which needed to undergo the same treatment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s