SHA2/256 SSL Certificates? Your experiences?

lorio

• October 02, 2013 05:18

What are your everyday expericences with SHA2/256 SSL Certificates? Still major problems with Browser and E-Mailclients? Is Cpanel offcially supporting these CERTs under 11.38?

• 

  ladydi711

  • November 26, 2014 18:36

  My Ticket 5744109 was replied to. Gave me the info I needed to know. __________________ Hello, Case 118297 which resolves this by generating CSRs using SHA-256 is not yet available in the regular update tiers. It is currently available in the EDGE tier (the 11.45.999 versions you see in the Change Log) but I would not recommend this tier for a production server:

  0
• 

  MaraBlue

  • November 26, 2014 20:02

  [quote="discountnetz, post: 1779202">Hallo Okay, Support says it is not possible via WHM or cPanel at 11.46 only on the command line it works Perhaps you should adjust your ChangeLog and to point out that not just automatically SHA2 is generated in version 11.46 but this only through the command line is possible.
  [quote="ladydi711, post: 1779242">My Ticket 5744109 was replied to. Case 118297 which resolves this by generating CSRs using SHA-256 is not yet available in the regular update tiers.
  And yet Kenneth Power reported in the feature request thread for SHA-2 on Oct. 15, 2014: [QUOTE]We are changing the default algorithm used for creating SSL Keys, CSRs, and Certificates, from SHA1 to SHA256. The change will go out as part of 11.46, and should be back ported to 11.44. Also, the internal case number is 118297 Update 2014-10-30: By default our CSRs are generated using SHA256, in 11.46. If you integrate your own CSRs into cPanel & WHM, we also accept SHA384, and SHA512.
  When 11.46 came out, we all had the reasonable assumption that would include the fix for this. Even earlier in this thread it's clear that cPanelMichael was expecting 11.46 to generate a SHA-2 CSR, though why he would claim he was "unable to reproduce" the issue with cPanel creating a SHA-1, when it clearly does and substantiated by cPanel support, is beyond me. cPanelMichael, if you're unable to reproduce, then could you tell us exactly what you did that gained a SHA-2 CSR through cPanel? The certificate for our hostname/services is a SHA-2, with a SHA-2 CSR, created last April (all same SSL vendor). The CSR would have been created through WHM, rather than a user account in cPanel. If WHM can do it, it shouldn't be that difficult to transfer that ability to the user cPanel accounts.

  0
• 

  ladydi711

  • November 26, 2014 22:47

  [quote="discountnetz, post: 1779202">Hallo Okay, Support says it is not possible via WHM or cPanel at 11.46 only on the command line it works
  My experience as well. While not ideal, the command line suggestions will work. I look very much forward to the feature in WHM/cPanel.

  0
• 

  cPanelMichael

  • December 02, 2014 19:07

  The change was implemented in one of our 11.46 development builds on 2014-10-22: 11.45.999.124 Fixed case 118297: Use SHA256 for SSL Keys and CSRs. Please monitor our change log for this case number to see when it's been released to a non-development 11.46 build: 11.46 Change Log Thank you.

  0
• 

  MaraBlue

  • December 02, 2014 20:16

  So when you were "unable to reproduce" the issue, it's because you were testing using a development build, which isn't available to the rest of us? I understand mistakes happen, but honestly.... that's a pretty big one.

  0
• 

  cPanelMichael

  • December 03, 2014 18:07

  [quote="MaraBlue, post: 1782372">So when you were "unable to reproduce" the issue, it's because you were testing using a development build, which isn't available to the rest of us? I understand mistakes happen, but honestly.... that's a pretty big one.
  Right, I attempted to reproduce the issue on the "Edge" build tier, which is available to the public, but not recommended on production machines. We often test on this tier to ensure we are not reproducing a bug that's already been resolved. It's also why I requested the output from "openssl req -noout -text -in /var/cpanel/ssl/system/csrs/$domain-value.csr| grep 'Signature Algorithm'" so I could investigate further. Thank you.

  0
• 

  cPanelKenneth

  • December 04, 2014 12:57

  Hello, case 118297 is available in the 11.46.1 production release. Right now that is in the CURRENT tier. We expect it to reach the RELEASE tier next week.

  0
• 

  DomainMasters

  • December 10, 2014 22:58

  WHM was supposed to be supporting SHA2 now: WHM 11.46.0! What happened? GeoTrust will no longer accept any CSR created in WHM's GUI. GeoTrust says that it must be a CSR created with SHA2 before it will issue a cert to me. So now what are we supposed to do? I have been waiting for this for a long time now. Why was it, SHA2, not implemented in WHM 11.46 like you said it would be? And when will it be implemented? We need SHA2 support in WHM NOW - in 11.46(Build 23). We are in build 22 now. Why can't you just implement SHA2 PLEASE? Did I mention that GeoTrust will no longer accept CSR's unless they are created with SHA2? I've been looking for it with every build that is released and now we're at 22 and still no SHA2! Why? Please respond asap! Thank you. Sincerely, Richard Williams

  0
• 

  cPanelMichael

  • December 11, 2014 13:25

  cPanel version 11.46.1.3 (this includes case number 118297) is now available in the "Release" build tier. You can review your update preferences via: "WHM Home " Server Configuration " Update Preferences" Thank you.

  0
• 

  DomainMasters

  • December 11, 2014 14:15

  [quote="cPanelMichael, post: 1788802">cPanel version 11.46.1.3 (this includes case number 118297) is now available in the "Release" build tier. You can review your update preferences via: "WHM Home " Server Configuration " Update Preferences" Thank you.
  This is great news. Thank you very much for your hard work. I have just added another post that is kind of irrelevant now. Maybe you can remove it please. This is great news for me and many others, I'm sure. Thanks again. Sincerely, Richard Williams

  0
• 

  vlee

  • December 11, 2014 16:25

  With this updated to use SHA256 for SSL Keys and CSR. I do have one question before I do anything on our servers. In WHM Home "SSL/TLS "Generate an SSL Certificate and Signing Request Under the Private Key Options Is 2,048 bits still the recommended standard or should the 4,096 bits be used for greater security?

  0
• 

  cPanelMichael

  • December 11, 2014 17:14

  [quote="vlee, post: 1789081">Is 2,048 bits still the recommended standard or should the 4,096 bits be used for greater security?
  The following third-party website answers this: Differences between 2048 and 4096 bit RSA Keys Thank you.

  0
• 

  vlee

  • December 11, 2014 17:55

  [quote="cPanelMichael, post: 1789231">The following third-party website answers this: Differences between 2048 and 4096 bit RSA Keys Thank you.
  Thank you Michael for the great information. This does help.

  0

Please sign in to leave a comment.