From 24a76612ae49d15df51c79f28900e004dda88808 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Mon, 27 Oct 2025 06:41:05 -0400
Subject: [PATCH] Use sha284 hash algorithm

Some implementations reject sha256 as inadequate if ecdsa has 384 bit keylength. Bring the digest up to match
the key size for the ECDSA.
---
 confluent_server/confluent/certutil.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py
index f469bd8f..74827304 100644
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@@ -242,7 +242,7 @@ def create_full_ca(certout):
     subprocess.check_call(
         ['openssl', 'ca', '-config', newcfg, '-batch', '-selfsign',
         '-extensions', 'CACert', '-extfile', newcfg, 
-        '-notext', '-startdate',
+        '-notext', '-startdate', '-md', 'sha384',
          '19700101010101Z', '-enddate', '21000101010101Z', '-keyfile',
          keyout, '-out', '/etc/confluent/tls/ca/cacert.pem', '-in', csrout]
     )
@@ -378,7 +378,7 @@ def create_certificate(keyout=None, certout=None, csrfile=None, subj=None, san=N
             subprocess.check_call([
                 'openssl', 'ca', '-config', cacfgfile, '-rand_serial',
                 '-in', csrfile, '-out', certout, '-batch', '-notext',
-                '-startdate', startdate, '-enddate', enddate,
+                '-startdate', startdate, '-enddate', enddate, '-md', 'sha384',
                 '-extfile', extconfig, '-subj', subj
             ])
         for keycopy in tlsmateriallocation.get('keys', []):