Oct 29, 2014

It's time to re-key your SSL certificates if they're signed with SHA-1

Google announced back in September that they will be the major catalyst for killing off SHA-1 around the world. In their blog post they talk about their plan to gradually "sunset" SHA-1 because of how weak it is.

From their blog:

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper.

That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.
That's right, starting next month if your website is using an SSL certificate that was signed with SHA-1 and is good past January 2017, then users that browse to it with Google Chrome will start getting browser warnings! Thanks Google!

That means you need to have your certificates re-keyed through your SSL provider using a certificate signing request (CSR) with a SHA-256 signing hash if you don't want people to get browser warnings.

If you use IIS, even in Windows 2012 R2, it will still generate a CSR with SHA-1 only. So you need to use OpenSSL to generate your CSR. Linux has it built in, but if you are a Windows server user you can download a Windows version.

To generate your SHA-256 CSR run the following:

openssl req -nodes -sha256 -newkey rsa:4096 -keyout PrivateKey.key -out CertificateRequest.csr

You will prompted for the usual information, and this will create your private key and your CSR to send to your SSL provider. Once your new cert is issued you should be good to go if you have an Apache server or Nginx.

If you are a Windows IIS user you may want to create a p12 file with your certificate and private key all in one file so you can easily import it with the Certificates MMC snap-in. To create the p12 file run the following command:

openssl pkcs12 -export -in SignedKeyFromCA.cer -inkey PrivateKey.key -out SignedKeyPair.p12

You will be asked for a password to protect your key and you'll have to remember that password when importing it into Windows.

That's it, once that is done and installed you can check to make sure you did everything properly with SSL Labs.



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam