From b3cd2ffd8a80f30b171b2a1c0a8b6dd5ee787b62 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Wed, 11 May 2016 10:41:45 -0400
Subject: [PATCH] SSPCPP-686 - Switch to SHA-2 certs and 3072 bit keys on
 install

https://issues.shibboleth.net/jira/browse/SSPCPP-686
---
 configs/keygen.bat | 6 +++---
 configs/keygen.sh  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/configs/keygen.bat b/configs/keygen.bat
index ae223a4..14a5fdb 100644
--- a/configs/keygen.bat
+++ b/configs/keygen.bat
@@ -31,12 +31,12 @@ if not defined FQDN goto guess_fqdn
 :generate
 set PATH=%PATH%;%ProgramFiles%\Shibboleth\SP\lib\
 set CNF="%PREFIX%sp-cert.cnf"
-echo # OpenSSL configuration file for creating sp-cert.pem    >%CNF%
+echo # OpenSSL configuration file for creating keypair       >%CNF%
 echo [req]                                                   >>%CNF%
 echo prompt=no                                               >>%CNF%
-echo default_bits=2048                                       >>%CNF%
+echo default_bits=3072                                       >>%CNF%
 echo encrypt_key=no                                          >>%CNF%
-echo default_md=sha1                                         >>%CNF%
+echo default_md=sha256                                       >>%CNF%
 echo distinguished_name=dn                                   >>%CNF%
 echo # PrintableStrings only                                 >>%CNF%
 echo string_mask=MASK:0002                                   >>%CNF%
diff --git a/configs/keygen.sh b/configs/keygen.sh
index 4ee69f6..002acd9 100755
--- a/configs/keygen.sh
+++ b/configs/keygen.sh
@@ -50,12 +50,12 @@ fi
 
 SSLCNF=$OUT/sp-cert.cnf
 cat >$SSLCNF <<EOF
-# OpenSSL configuration file for creating sp-cert.pem
+# OpenSSL configuration file for creating keypair
 [req]
 prompt=no
-default_bits=2048
+default_bits=3072
 encrypt_key=no
-default_md=sha1
+default_md=sha256
 distinguished_name=dn
 # PrintableStrings only
 string_mask=MASK:0002
-- 
2.1.4