The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SHA2/256 SSL Certificates? Your experiences?

Discussion in 'Security' started by lorio, Oct 2, 2013.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    What are your everyday expericences with SHA2/256 SSL Certificates? Still major problems with Browser and E-Mailclients?

    Is Cpanel offcially supporting these CERTs under 11.38?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,674
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    cPanelMichael, could you elaborate a bit on this for me?

    If I wanted a SHA2 / SHA256 SSL certificate, would I do this via the initial CSR generation? If so, do I simply choose 4096 bits, instead of 2048 bits?

    You mention that 256-bit encryption for certificates is supported, but how do I do that? There is nothing on the CSR generation form that says anything about SHA1, SHA2, SHA256 or 256-bit encryption.

    The Generate an SSL Certificate and Signing Request page makes no mention of it either.

    Thanks for any light you can shed on the subject!

    - Scott
     
  4. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
    No, this is done on the CA's side.
    If you have now a cert with SHA-1 you can ask for a reissue with SHA-2.
     
  5. GreenReaper

    GreenReaper Registered

    Joined:
    Oct 5, 2014
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    The certificate is signed by the CA, but the CSR is generated by cPanel, and it must call openssl with the -sha256 argument, otherwise it will be SHA-1. I ran into this issue today; I generated a key and CSR in cPanel, then requested a certificate via StartSSL and the result was a SHA-1-signed certificate, even though StartSSL list it as deprecated, because that was what the cPanel-generated CSR said.

    Microsoft and Google are driving a migration to SHA-256. Chrome will soon warn when it sees a SHA-1-signed certificates with expiry dates after 2015 as secure but with errors, and those which expire after 2016 as insecure. Already, SSL Labs has lowered their grade.

    cPanel should start generating SHA-256 signing requests by default, or at least offer the option of what signing algorithm to request.
     
    MaraBlue likes this.
  6. GreenReaper

    GreenReaper Registered

    Joined:
    Oct 5, 2014
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    I have submitted a feature request suggesting deprecation of SHA-1 CSRs in cPanel.
     
  7. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    @GreenReaper: Am I understanding you correctly that there is no way to do a CSR in cPanel/WHM for a SHA256 Certificate?

    How do I "call openssl with the -sha256 argument" and get a SHA256-compatible CSR?

    I tried to find your Feature Request but was not successful. Can you send me the link?

    Thanks!

    - Scott
     
  8. GreenReaper

    GreenReaper Registered

    Joined:
    Oct 5, 2014
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    @sneader There appears to be no way to specify that CSR should be signed with sha256 (which is done when using the command-line openssl utility by passing '-sha256' on the command line, along with all the other parameters).

    It appears that some places, like StartSSL, determine the signing algorithm by the CSR, and so it restricts the certificates granted.

    In any case, if the SHA1 algorithm is insecure, such CSRs may eventually no longer be accepted, so it's an important option.

    The feature request is over here (in moderation).
     
    sneader likes this.
  9. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    79
    Likes Received:
    2
    Trophy Points:
    8

    so what would be the command line to issue to create this?

    also cpanel lets get this solved asap as the deadline is basically now for chrome
     
  10. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    The feature is finally out of moderation and I've "liked" it. I sure hope it gathers some additional votes, as right now it's just 4 of us, and likely not even on cPanel's radar. Ouch.

    - Scott
     
  11. GreenReaper

    GreenReaper Registered

    Joined:
    Oct 5, 2014
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    Something like this, only add -sha256 on the end of the "Create a CSR" step.
     
  12. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I asked about this on the Feature Request page, and Kenneth Power from cPanel replied with the following command line, which should do the trick!:

    Code:
    openssl req -new -newkey rsa:2048 -nodes -sha256 -out http://www.mydomain.com.sha256.csr -keyout http://www.mydomain.key -subj "/C=US/ST=TX/L=USA/O=WHATEVER/CN=http://www.moydomain.com";
    I haven't tested this, but will be trying soon.

    Also on the Feature Request page, Kenneth mentioned that SHA2/SHA256 will be the default starting in 11.46, and then that feature will be back-ported to 11.44. ETA is roughly late November for inclusion in 11.44, not sure when 11.46 will be out, but it would be before then.

    So, things are moving in the right direction! Thanks cPanel!!

    - Scott
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yea. What he said. :)
     
    MaraBlue and sneader like this.
  14. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    79
    Likes Received:
    2
    Trophy Points:
    8

    yep I saw that and tried it out but I had to make some modifications including removing the http:// not sure why that was in the example as it doesn't work (at least for me). see my example here (this was for a wildcard certificate). I ran this from a folder i created in /root/ for ssl certs, then i moved the respective csr and KEY files to /etc/ssl/certs and /etc/ssl/private


    Code:
    openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.YOURDOMAIN.COM.sha256.csr -keyout www.YOURDOMAIN.key -subj "/C=CA/ST=ON/L=YOURCITY/O=YOUR COMPANY NAME/OU=Web/CN=*.YOURDOMAIN.COM";

    C= your 2 digit country code
    L= your CITY
    OU was missing but is the Operating Unit
    ST=your State or province
    O = your company name
    CN= is your common name, so use a *. if creating a wildcard cert or www. for a regular one.

    note when installing the issued certificate using the WHM it will NOT pull the private KEY so you have to make note of that and paste it yourself

    hth

    J
     
    MaraBlue likes this.
  15. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    You can also create 4096 bit certs with rsa:4096
     
  16. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Nice catches, ethical! Many thanks!!

    - Scott
     
  17. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    79
    Likes Received:
    2
    Trophy Points:
    8
    ok so acording to cpanel changelog 11.46 should allow the generation of sha256 certs, but its not so OR rapidssl has a problem?. It didnt work for me when i created a cert and submitted to rapidssl I got back a standard sha1 certificate. Anyone have any thoughts on that?

    Thanks
    John
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,674
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  19. _tyman_

    _tyman_ Registered

    Joined:
    Oct 23, 2014
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    RapidSSL / GeoTrust hasn't rolled out full support from the get-go yet and are still issuing sha1 by default even if using a sha256 CSR. In order to get a sha256 you will need to re-issue the certificate via the GeoTrust re-issue interface and then you can select the certificate type.

    I have yet to see any update as to when they will either provide the option from the start or just move completely over. I have a feeling it has to do with their API and the many different resellers and getting everyone on board before it can be fully rolled out.
     
    MaraBlue likes this.
  20. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    I need to renew a cert today, so crossing my fingers. I guess if GeoTrust isn't yet up to speed, I can always reissue it after they are.
     
Loading...
Similar Threads - SHA2 256 SSL
  1. bear
    Replies:
    3
    Views:
    642

Share This Page