SHA2/256 SSL Certificates? Your experiences?
What are your everyday expericences with SHA2/256 SSL Certificates? Still major problems with Browser and E-Mailclients?
Is Cpanel offcially supporting these CERTs under 11.38?
-
Hello :) cPanel supports the following key sizes: 2048 bits 4096 bits 256-bit encryption for certificates is supported. Thank you. 0 -
cPanelMichael, could you elaborate a bit on this for me? If I wanted a SHA2 / SHA256 SSL certificate, would I do this via the initial CSR generation? If so, do I simply choose 4096 bits, instead of 2048 bits? You mention that 256-bit encryption for certificates is supported, but how do I do that? There is nothing on the CSR generation form that says anything about SHA1, SHA2, SHA256 or 256-bit encryption. The [url=http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/GenerateCert]Generate an SSL Certificate and Signing Request page makes no mention of it either. Thanks for any light you can shed on the subject! - Scott 0 -
[quote="sneader, post: 1733871">cPanelMichael, could you elaborate a bit on this for me? If I wanted a SHA2 / SHA256 SSL certificate, would I do this via the initial CSR generation?
No, this is done on the CA's side. If you have now a cert with SHA-1 you can ask for a reissue with SHA-2.0 -
[quote="PlotHost, post: 1735192">No, this is done on the CA's side. If you have now a cert with SHA-1 you can ask for a reissue with SHA-2.
The certificate is signed by the CA, but the CSR is generated by cPanel, and it must call openssl with the -sha256 argument, otherwise it will be SHA-1. I ran into this issue today; I generated a key and CSR in cPanel, then requested a certificate via StartSSL and the result was a SHA-1-signed certificate, even though StartSSL list it as deprecated, because that was what the cPanel-generated CSR said. Microsoft and Google are driving a migration to SHA-256. [url=http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html]Chrome will soon warn when it sees a SHA-1-signed certificates with expiry dates after 2015 as secure but with errors, and those which expire after 2016 as insecure. Already, [url=https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know]SSL Labs has lowered their grade. cPanel should start generating SHA-256 signing requests by default, or at least offer the option of what signing algorithm to request.0 -
I have submitted a feature request suggesting deprecation of SHA-1 CSRs in cPanel. 0 -
@GreenReaper: Am I understanding you correctly that there is no way to do a CSR in cPanel/WHM for a SHA256 Certificate? [QUOTE]the CSR is generated by cPanel, and it must call openssl with the -sha256 argument, otherwise it will be SHA-1
How do I "call openssl with the -sha256 argument" and get a SHA256-compatible CSR? I tried to find your Feature Request but was not successful. Can you send me the link? Thanks! - Scott0 -
@sneader There appears to be no way to specify that CSR should be signed with sha256 (which is done when using the command-line openssl utility by passing '-sha256' on the command line, along with all the other parameters). It appears that some places, like StartSSL, determine the signing algorithm by the CSR, and so it restricts the certificates granted. In any case, if the SHA1 algorithm is insecure, such CSRs may eventually no longer be accepted, so it's an important option. The feature request is [url=http://features.cpanel.net/responses/generate-sha-256-csrs-by-default-deprecate-sha-1-csrs]over here (in moderation). 0 -
[quote="GreenReaper, post: 1745902">@sneader There appears to be no way to specify that CSR should be signed with sha256 (which is done when using the command-line openssl utility by passing '-sha256' on the command line, along with all the other parameters). It appears that some places, like StartSSL, determine the signing algorithm by the CSR, and so it restricts the certificates granted. In any case, if the SHA1 algorithm is insecure, such CSRs may eventually no longer be accepted, so it's an important option. The feature request is [url=http://features.cpanel.net/responses/generate-sha-256-csrs-by-default-deprecate-sha-1-csrs]over here (in moderation).
so what would be the command line to issue to create this? also cpanel lets get this solved asap as the deadline is basically now for chrome0 -
[quote="GreenReaper, post: 1745902">The feature request is [url=http://features.cpanel.net/responses/generate-sha-256-csrs-by-default-deprecate-sha-1-csrs]over here (in moderation).
The feature is finally out of moderation and I've "liked" it. I sure hope it gathers some additional votes, as right now it's just 4 of us, and likely not even on cPanel's radar. Ouch. - Scott0 -
[quote="ethical, post: 1748181">so what would be the command line to issue to create this?
[url=http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl]Something like this, only add -sha256 on the end of the "Create a CSR" step.0 -
[quote="ethical, post: 1748181">so what would be the command line to issue to create this?
I asked about this on the Feature Request page, and Kenneth Power from cPanel replied with the following command line, which should do the trick!:openssl req -new -newkey rsa:2048 -nodes -sha256 -out http://www.mydomain.com.sha256.csr -keyout http://www.mydomain.key -subj "/C=US/ST=TX/L=USA/O=WHATEVER/CN=http://www.moydomain.com";
I haven't tested this, but will be trying soon. [quote="ethical, post: 1748181">also cpanel lets get this solved asap as the deadline is basically now for chrome
Also on the Feature Request page, Kenneth mentioned that SHA2/SHA256 will be the default starting in 11.46, and then that feature will be back-ported to 11.44. ETA is roughly late November for inclusion in 11.44, not sure when 11.46 will be out, but it would be before then. So, things are moving in the right direction! Thanks cPanel!! - Scott0 -
Yea. What he said. :) 0 -
[quote="sneader, post: 1749951">I asked about this on the Feature Request page, and Kenneth Power from cPanel replied with the following command line, which should do the trick!: openssl req -new -newkey rsa:2048 -nodes -sha256 -out http://www.mydomain.com.sha256.csr -keyout http://www.mydomain.key -subj "/C=US/ST=TX/L=USA/O=WHATEVER/CN=http://www.moydomain.com";
I haven't tested this, but will be trying soon. Also on the Feature Request page, Kenneth mentioned that SHA2/SHA256 will be the default starting in 11.46, and then that feature will be back-ported to 11.44. ETA is roughly late November for inclusion in 11.44, not sure when 11.46 will be out, but it would be before then. So, things are moving in the right direction! Thanks cPanel!! - Scott
yep I saw that and tried it out but I had to make some modifications including removing the http:// not sure why that was in the example as it doesn't work (at least for me). see my example here (this was for a wildcard certificate). I ran this from a folder i created in /root/ for ssl certs, then i moved the respective csr and KEY files to /etc/ssl/certs and /etc/ssl/privateopenssl req -new -newkey rsa:2048 -nodes -sha256 -out www.YOURDOMAIN.COM.sha256.csr -keyout www.YOURDOMAIN.key -subj "/C=CA/ST=ON/L=YOURCITY/O=YOUR COMPANY NAME/OU=Web/CN=*.YOURDOMAIN.COM";
C= your 2 digit country code L= your CITY OU was missing but is the Operating Unit ST=your State or province O = your company name CN= is your common name, so use a *. if creating a wildcard cert or www. for a regular one. note when installing the issued certificate using the WHM it will NOT pull the private KEY so you have to make note of that and paste it yourself hth J0 -
You can also create 4096 bit certs with rsa:4096 0 -
Nice catches, ethical! Many thanks!! - Scott 0 -
ok so acording to cpanel changelog 11.46 should allow the generation of sha256 certs, but its not so OR rapidssl has a problem?. It didnt work for me when i created a cert and submitted to rapidssl I got back a standard sha1 certificate. Anyone have any thoughts on that? Thanks John 0 -
[quote="ethical, post: 1754922">ok so acording to cpanel changelog 11.46 should allow the generation of sha256 certs, but its not so OR rapidssl has a problem?. It didnt work for me when i created a cert and submitted to rapidssl I got back a standard sha1 certificate. Anyone have any thoughts on that?
Please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.0 -
[quote="ethical, post: 1754922">ok so acording to cpanel changelog 11.46 should allow the generation of sha256 certs, but its not so OR rapidssl has a problem?. It didnt work for me when i created a cert and submitted to rapidssl I got back a standard sha1 certificate. Anyone have any thoughts on that? Thanks John
RapidSSL / GeoTrust hasn't rolled out full support from the get-go yet and are still issuing sha1 by default even if using a sha256 CSR. In order to get a sha256 you will need to re-issue the certificate via the GeoTrust re-issue interface and then you can select the certificate type. I have yet to see any update as to when they will either provide the option from the start or just move completely over. I have a feeling it has to do with their API and the many different resellers and getting everyone on board before it can be fully rolled out.0 -
I need to renew a cert today, so crossing my fingers. I guess if GeoTrust isn't yet up to speed, I can always reissue it after they are. 0 -
[quote="_tyman_, post: 1754992">RapidSSL / GeoTrust hasn't rolled out full support from the get-go yet and are still issuing sha1 by default even if using a sha256 CSR. In order to get a sha256 you will need to re-issue the certificate via the GeoTrust re-issue interface and then you can select the certificate type. I have yet to see any update as to when they will either provide the option from the start or just move completely over. I have a feeling it has to do with their API and the many different resellers and getting everyone on board before it can be fully rolled out.
wow, just amazing thanks for that info. Yea i just realized it was (at the time i thought it was just my registrar provider not submitting the correct thing) but i really can't believe they can't get this put together, i mean this is their actual business, providing secure certificates! edit: according to geotrust docs it should actually be included! SHA-256 Options: Reminder: Due to the new NIST Suite B security requirements for hashes and algorithms, and in accordance with CA/B Forum guidelines Symantec will only be issuing 2048-bit RSA certificates, with an option of SHA-1 or SHA-256. All DSA 2048-bit compliant certificates will include SHA-256.0 -
[quote="ethical, post: 1755121">wow, just amazing thanks for that info. Yea i just realized it was (at the time i thought it was just my registrar provider not submitting the correct thing) but i really can't believe they can't get this put together, i mean this is their actual business, providing secure certificates! edit: according to geotrust docs it should actually be included! SHA-256 Options: Reminder: Due to the new NIST Suite B security requirements for hashes and algorithms, and in accordance with CA/B Forum guidelines Symantec will only be issuing 2048-bit RSA certificates, with an option of SHA-1 or SHA-256. All DSA 2048-bit compliant certificates will include SHA-256.
Basically Google sped up the process last month, beyond their original depreciation plans, so cPanel and many cert issuers were caught off guard. Symantec certs (EV) were the first to have been all sha-256 and then I think it was after first of the year the GeoTrust and RapidSSLs were to follow. I had people asking the day after Google announced the Chrome timeline and it was very hard to find any information from my reseller or even from the issuers themselves. It is a pain to get a cert and then have it re-issued right away to get the right coverage. At least I will soon be able to create a CSR via cPanel. While the command line for a regular one isn't too bad, a multi-domain CSR is a huge pain to generate!0 -
Since 11.46 is out, I thought I'd try creating a new CSR. It seems to still have created with sha1. Should sha256 be the default in whm 11.46? 0 -
[quote="ladydi711, post: 1773171">Since 11.46 is out, I thought I'd try creating a new CSR. It seems to still have created with sha1. Should sha256 be the default in whm 11.46?
I have been unable to reproduce the issue you have reported. How are you generating the CSR? What's the output when checking from the command line? EX:openssl req -noout -text -in /var/cpanel/ssl/system/csrs/$domain-value.csr| grep 'Signature Algorithm'
Thank you.0 -
From the cPanel SSL/TSL Manage, generated a new CSR. Output from the above command gives: Signature Algorithm: sha1WithRSAEncryption 0 -
[quote="ladydi711, post: 1773171">Since 11.46 is out, I thought I'd try creating a new CSR. It seems to still have created with sha1. Should sha256 be the default in whm 11.46?
[quote="cPanelMichael, post: 1773842">I have been unable to reproduce the issue you have reported. How are you generating the CSR? What's the output when checking from the command line? EX:openssl req -noout -text -in /var/cpanel/ssl/system/csrs/$domain-value.csr| grep 'Signature Algorithm'
Thank you.
I believe I'm running into this also, cPanel 11.46.0.17 I'll open a support ticket.0 -
Hello :) When programming the same problem. Whether I generating through the TLS Manager or WHM CSR always comes out SHA1. All my servers have 11.46.0 Build 17. Something is wrong when generating the key whenever sha1 happens. Best Regards Jan 0 -
Please submit a support ticket using the link in my signature so we can reproduce the issue on your system. You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
From what I can see, CSRs created within WHM are SHA-2, while CSRs created within the users' cPanel are (still) SHA-1. As soon as I have time to open a support ticket (they're time consuming and I'm stretched thin this week) I'll post the number here. 0 -
[quote="cPanelMichael, post: 1778312">Please submit a support ticket using the link in my signature so we can reproduce the issue on your system. You can post the ticket number here so we can update this thread with the outcome. Thank you.
Hallo :) I have now opened a ticket Ticket: 5743645 Best Regards Jan0 -
Hallo Okay, Support says it is not possible via WHM or cPanel at 11.46 only on the command line it works Perhaps you should adjust your ChangeLog and to point out that not just automatically SHA2 is generated in version 11.46 but this only through the command line is possible. Time is running from 1.1.2015 will be displayed if a SHA1 certificate that is longer than valid until 1.1.2017 is unsafe and not trustworthy in the Chrome browser a clue. Edit: In the current Edge version that should work but I prefer to wait until the feature has arrived in the release version. Best Regards Jan 0
Please sign in to leave a comment.
Comments
43 comments