What are your everyday expericences with SHA2/256 SSL Certificates? Still major problems with Browser and E-Mailclients?
Is Cpanel offcially supporting these CERTs under 11.38?
Is Cpanel offcially supporting these CERTs under 11.38?
Hello 
cPanel supports the following key sizes:
2048 bits
4096 bits
256-bit encryption for certificates is supported.
Thank you.
cPanel supports the following key sizes:
2048 bits
4096 bits
256-bit encryption for certificates is supported.
Thank you.
cPanelMichael, could you elaborate a bit on this for me?
If I wanted a SHA2 / SHA256 SSL certificate, would I do this via the initial CSR generation? If so, do I simply choose 4096 bits, instead of 2048 bits?
You mention that 256-bit encryption for certificates is supported, but how do I do that? There is nothing on the CSR generation form that says anything about SHA1, SHA2, SHA256 or 256-bit encryption.
The Generate an SSL Certificate and Signing Request page makes no mention of it either.
Thanks for any light you can shed on the subject!
- Scott
If I wanted a SHA2 / SHA256 SSL certificate, would I do this via the initial CSR generation? If so, do I simply choose 4096 bits, instead of 2048 bits?
You mention that 256-bit encryption for certificates is supported, but how do I do that? There is nothing on the CSR generation form that says anything about SHA1, SHA2, SHA256 or 256-bit encryption.
The Generate an SSL Certificate and Signing Request page makes no mention of it either.
Thanks for any light you can shed on the subject!
- Scott
No, this is done on the CA's side.
If you have now a cert with SHA-1 you can ask for a reissue with SHA-2.
The certificate is signed by the CA, but the CSR is generated by cPanel, and it must call openssl with the -sha256 argument, otherwise it will be SHA-1. I ran into this issue today; I generated a key and CSR in cPanel, then requested a certificate via StartSSL and the result was a SHA-1-signed certificate, even though StartSSL list it as deprecated, because that was what the cPanel-generated CSR said.
Microsoft and Google are driving a migration to SHA-256. Chrome will soon warn when it sees a SHA-1-signed certificates with expiry dates after 2015 as secure but with errors, and those which expire after 2016 as insecure. Already, SSL Labs has lowered their grade.
cPanel should start generating SHA-256 signing requests by default, or at least offer the option of what signing algorithm to request.
@GreenReaper: Am I understanding you correctly that there is no way to do a CSR in cPanel/WHM for a SHA256 Certificate?
I tried to find your Feature Request but was not successful. Can you send me the link?
Thanks!
- Scott
How do I "call openssl with the -sha256 argument" and get a SHA256-compatible CSR?
I tried to find your Feature Request but was not successful. Can you send me the link?
Thanks!
- Scott
@sneader There appears to be no way to specify that CSR should be signed with sha256 (which is done when using the command-line openssl utility by passing '-sha256' on the command line, along with all the other parameters).
It appears that some places, like StartSSL, determine the signing algorithm by the CSR, and so it restricts the certificates granted.
In any case, if the SHA1 algorithm is insecure, such CSRs may eventually no longer be accepted, so it's an important option.
The feature request is over here (in moderation).
It appears that some places, like StartSSL, determine the signing algorithm by the CSR, and so it restricts the certificates granted.
In any case, if the SHA1 algorithm is insecure, such CSRs may eventually no longer be accepted, so it's an important option.
The feature request is over here (in moderation).
so what would be the command line to issue to create this?
also cpanel lets get this solved asap as the deadline is basically now for chrome
The feature is finally out of moderation and I've "liked" it. I sure hope it gathers some additional votes, as right now it's just 4 of us, and likely not even on cPanel's radar. Ouch.
- Scott
I asked about this on the Feature Request page, and Kenneth Power from cPanel replied with the following command line, which should do the trick!:
Code:
openssl req -new -newkey rsa:2048 -nodes -sha256 -out http://www.mydomain.com.sha256.csr -keyout http://www.mydomain.key -subj "/C=US/ST=TX/L=USA/O=WHATEVER/CN=http://www.moydomain.com";Also on the Feature Request page, Kenneth mentioned that SHA2/SHA256 will be the default starting in 11.46, and then that feature will be back-ported to 11.44. ETA is roughly late November for inclusion in 11.44, not sure when 11.46 will be out, but it would be before then.
So, things are moving in the right direction! Thanks cPanel!!
- Scott
Infopro
Well-Known Member
yep I saw that and tried it out but I had to make some modifications including removing the http:// not sure why that was in the example as it doesn't work (at least for me). see my example here (this was for a wildcard certificate). I ran this from a folder i created in /root/ for ssl certs, then i moved the respective csr and KEY files to /etc/ssl/certs and /etc/ssl/private
Code:
openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.YOURDOMAIN.COM.sha256.csr -keyout www.YOURDOMAIN.key -subj "/C=CA/ST=ON/L=YOURCITY/O=YOUR COMPANY NAME/OU=Web/CN=*.YOURDOMAIN.COM";C= your 2 digit country code
L= your CITY
OU was missing but is the Operating Unit
ST=your State or province
O = your company name
CN= is your common name, so use a *. if creating a wildcard cert or www. for a regular one.
note when installing the issued certificate using the WHM it will NOT pull the private KEY so you have to make note of that and paste it yourself
hth
J
ok so acording to cpanel changelog 11.46 should allow the generation of sha256 certs, but its not so OR rapidssl has a problem?. It didnt work for me when i created a cert and submitted to rapidssl I got back a standard sha1 certificate. Anyone have any thoughts on that?
Thanks
John
Thanks
John
Please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.
Thank you.
RapidSSL / GeoTrust hasn't rolled out full support from the get-go yet and are still issuing sha1 by default even if using a sha256 CSR. In order to get a sha256 you will need to re-issue the certificate via the GeoTrust re-issue interface and then you can select the certificate type.
I have yet to see any update as to when they will either provide the option from the start or just move completely over. I have a feeling it has to do with their API and the many different resellers and getting everyone on board before it can be fully rolled out.
I need to renew a cert today, so crossing my fingers. I guess if GeoTrust isn't yet up to speed, I can always reissue it after they are.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| R | SOLVED [CPANEL-22560] AutoSSL Warning - Skipping duplicate domains (misconfigured?) | Security | 14 | |
| G | MySQL Vulnerability CVE-2018-2562 and CVE-2018-2647 | Security | 2 | |
| B | Paypal's new SHA2 requirement. | Security | 3 | |
|
A customer just got a message from paypal about g5 root and sha-256 | Security | 1 |