SHA2/256 SSL Certificates? Your experiences?

lorio

Well-Known Member
Feb 25, 2004
305
16
168
cPanel Access Level
Root Administrator
What are your everyday expericences with SHA2/256 SSL Certificates? Still major problems with Browser and E-Mailclients?

Is Cpanel offcially supporting these CERTs under 11.38?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

cPanel supports the following key sizes:

2048 bits
4096 bits

256-bit encryption for certificates is supported.

Thank you.
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
cPanelMichael, could you elaborate a bit on this for me?

If I wanted a SHA2 / SHA256 SSL certificate, would I do this via the initial CSR generation? If so, do I simply choose 4096 bits, instead of 2048 bits?

You mention that 256-bit encryption for certificates is supported, but how do I do that? There is nothing on the CSR generation form that says anything about SHA1, SHA2, SHA256 or 256-bit encryption.

The Generate an SSL Certificate and Signing Request page makes no mention of it either.

Thanks for any light you can shed on the subject!

- Scott
 

PlotHost

Well-Known Member
Apr 29, 2011
290
14
68
US
cPanel Access Level
Root Administrator
Twitter
cPanelMichael, could you elaborate a bit on this for me?
If I wanted a SHA2 / SHA256 SSL certificate, would I do this via the initial CSR generation?
No, this is done on the CA's side.
If you have now a cert with SHA-1 you can ask for a reissue with SHA-2.
 

GreenReaper

Registered
Oct 5, 2014
4
2
3
cPanel Access Level
Website Owner
No, this is done on the CA's side.
If you have now a cert with SHA-1 you can ask for a reissue with SHA-2.
The certificate is signed by the CA, but the CSR is generated by cPanel, and it must call openssl with the -sha256 argument, otherwise it will be SHA-1. I ran into this issue today; I generated a key and CSR in cPanel, then requested a certificate via StartSSL and the result was a SHA-1-signed certificate, even though StartSSL list it as deprecated, because that was what the cPanel-generated CSR said.

Microsoft and Google are driving a migration to SHA-256. Chrome will soon warn when it sees a SHA-1-signed certificates with expiry dates after 2015 as secure but with errors, and those which expire after 2016 as insecure. Already, SSL Labs has lowered their grade.

cPanel should start generating SHA-256 signing requests by default, or at least offer the option of what signing algorithm to request.
 
  • Like
Reactions: MaraBlue

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
@GreenReaper: Am I understanding you correctly that there is no way to do a CSR in cPanel/WHM for a SHA256 Certificate?

the CSR is generated by cPanel, and it must call openssl with the -sha256 argument, otherwise it will be SHA-1
How do I "call openssl with the -sha256 argument" and get a SHA256-compatible CSR?

I tried to find your Feature Request but was not successful. Can you send me the link?

Thanks!

- Scott
 

GreenReaper

Registered
Oct 5, 2014
4
2
3
cPanel Access Level
Website Owner
@sneader There appears to be no way to specify that CSR should be signed with sha256 (which is done when using the command-line openssl utility by passing '-sha256' on the command line, along with all the other parameters).

It appears that some places, like StartSSL, determine the signing algorithm by the CSR, and so it restricts the certificates granted.

In any case, if the SHA1 algorithm is insecure, such CSRs may eventually no longer be accepted, so it's an important option.

The feature request is over here (in moderation).
 
  • Like
Reactions: sneader

ethical

Well-Known Member
Apr 7, 2009
95
8
58
@sneader There appears to be no way to specify that CSR should be signed with sha256 (which is done when using the command-line openssl utility by passing '-sha256' on the command line, along with all the other parameters).

It appears that some places, like StartSSL, determine the signing algorithm by the CSR, and so it restricts the certificates granted.

In any case, if the SHA1 algorithm is insecure, such CSRs may eventually no longer be accepted, so it's an important option.

The feature request is over here (in moderation).

so what would be the command line to issue to create this?

also cpanel lets get this solved asap as the deadline is basically now for chrome
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
so what would be the command line to issue to create this?
I asked about this on the Feature Request page, and Kenneth Power from cPanel replied with the following command line, which should do the trick!:

Code:
openssl req -new -newkey rsa:2048 -nodes -sha256 -out http://www.mydomain.com.sha256.csr -keyout http://www.mydomain.key -subj "/C=US/ST=TX/L=USA/O=WHATEVER/CN=http://www.moydomain.com";
I haven't tested this, but will be trying soon.

also cpanel lets get this solved asap as the deadline is basically now for chrome
Also on the Feature Request page, Kenneth mentioned that SHA2/SHA256 will be the default starting in 11.46, and then that feature will be back-ported to 11.44. ETA is roughly late November for inclusion in 11.44, not sure when 11.46 will be out, but it would be before then.

So, things are moving in the right direction! Thanks cPanel!!

- Scott
 

ethical

Well-Known Member
Apr 7, 2009
95
8
58
I asked about this on the Feature Request page, and Kenneth Power from cPanel replied with the following command line, which should do the trick!:

Code:
openssl req -new -newkey rsa:2048 -nodes -sha256 -out http://www.mydomain.com.sha256.csr -keyout http://www.mydomain.key -subj "/C=US/ST=TX/L=USA/O=WHATEVER/CN=http://www.moydomain.com";
I haven't tested this, but will be trying soon.


Also on the Feature Request page, Kenneth mentioned that SHA2/SHA256 will be the default starting in 11.46, and then that feature will be back-ported to 11.44. ETA is roughly late November for inclusion in 11.44, not sure when 11.46 will be out, but it would be before then.

So, things are moving in the right direction! Thanks cPanel!!

- Scott

yep I saw that and tried it out but I had to make some modifications including removing the http:// not sure why that was in the example as it doesn't work (at least for me). see my example here (this was for a wildcard certificate). I ran this from a folder i created in /root/ for ssl certs, then i moved the respective csr and KEY files to /etc/ssl/certs and /etc/ssl/private


Code:
openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.YOURDOMAIN.COM.sha256.csr -keyout www.YOURDOMAIN.key -subj "/C=CA/ST=ON/L=YOURCITY/O=YOUR COMPANY NAME/OU=Web/CN=*.YOURDOMAIN.COM";

C= your 2 digit country code
L= your CITY
OU was missing but is the Operating Unit
ST=your State or province
O = your company name
CN= is your common name, so use a *. if creating a wildcard cert or www. for a regular one.

note when installing the issued certificate using the WHM it will NOT pull the private KEY so you have to make note of that and paste it yourself

hth

J
 
  • Like
Reactions: MaraBlue

ethical

Well-Known Member
Apr 7, 2009
95
8
58
ok so acording to cpanel changelog 11.46 should allow the generation of sha256 certs, but its not so OR rapidssl has a problem?. It didnt work for me when i created a cert and submitted to rapidssl I got back a standard sha1 certificate. Anyone have any thoughts on that?

Thanks
John
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
ok so acording to cpanel changelog 11.46 should allow the generation of sha256 certs, but its not so OR rapidssl has a problem?. It didnt work for me when i created a cert and submitted to rapidssl I got back a standard sha1 certificate. Anyone have any thoughts on that?
Please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

_tyman_

Registered
Oct 23, 2014
3
1
3
cPanel Access Level
Root Administrator
ok so acording to cpanel changelog 11.46 should allow the generation of sha256 certs, but its not so OR rapidssl has a problem?. It didnt work for me when i created a cert and submitted to rapidssl I got back a standard sha1 certificate. Anyone have any thoughts on that?

Thanks
John
RapidSSL / GeoTrust hasn't rolled out full support from the get-go yet and are still issuing sha1 by default even if using a sha256 CSR. In order to get a sha256 you will need to re-issue the certificate via the GeoTrust re-issue interface and then you can select the certificate type.

I have yet to see any update as to when they will either provide the option from the start or just move completely over. I have a feeling it has to do with their API and the many different resellers and getting everyone on board before it can be fully rolled out.
 
  • Like
Reactions: MaraBlue

MaraBlue

Well-Known Member
May 3, 2005
334
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
I need to renew a cert today, so crossing my fingers. I guess if GeoTrust isn't yet up to speed, I can always reissue it after they are.