keygeneration: small tweaks

A couple of consistency changes to key generation. First, unify the
kernel subkey algorithm between premp and mp generation. Second, specify
sha256 for android certs (as that's the default in the version of
openssl in the docker container, but sha1 is the default on the hsm
client).

BUG=b:515493293
TEST=None
BRANCH=None

Signed-off-by: Benjamin Shai <bshai@google.com>
Change-Id: If35100a702d02f4e28de902bacaf4508e63e61bd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/7919727
Reviewed-by: Madeleine Hardt <hardtmad@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>

scripts/keygeneration/common.sh

diff --git a/scripts/keygeneration/common.sh b/scripts/keygeneration/common.sh
index 328b75f..a9dee05 100644
--- a/scripts/keygeneration/common.sh
+++ b/scripts/keygeneration/common.sh
@@ -57,7 +57,7 @@
 RECOVERY_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
 MINIOS_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
 INSTALLER_KERNEL_ALGOID=${RSA4096_SHA512_ALGOID}
-KERNEL_SUBKEY_ALGOID=${RSA4096_SHA256_ALGOID}
+KERNEL_SUBKEY_ALGOID=${RSA4096_SHA512_ALGOID}
 KERNEL_DATAKEY_ALGOID=${RSA2048_SHA256_ALGOID}
 
 # AP RO Verification.

scripts/keygeneration/create_new_android_keys.sh

diff --git a/scripts/keygeneration/create_new_android_keys.sh b/scripts/keygeneration/create_new_android_keys.sh
index 9709742..c181861 100755
--- a/scripts/keygeneration/create_new_android_keys.sh
+++ b/scripts/keygeneration/create_new_android_keys.sh
@@ -40,7 +40,7 @@
 
   # Create a certificate with the public part of the key.
   openssl req -new -x509 -key "${dir}/temp.pem" -out "${dir}/${name}.x509.pem" \
-    -days 10000 -subj "${SUBJECT}"
+    -days 10000 -subj "${SUBJECT}" -sha256
 
   # Create a PKCS#8-formatted version of the private key.
   openssl pkcs8 -in "${dir}/temp.pem" -topk8 -outform DER \