[BlueOnyx:15967] Re: SHA-2 for ssl certificates needed

[Michael Stauber]

Hi Tobias,

> So from now on every certificate must not base on any algorithm
> prior SHA-2. From my point of view this includes the key too.
> 
> Michael, can you please provide an update for key and csr 
> generation on BlueOnyx?

I just looked into this and the SSL module that generates key, signing
request and cert is ... a bit complicated. :p

Please take a look at these two images:

Certificate as it is right now:

http://d2.smd.net/.ssl/SHA1.png

Certificate generated with the planned change to use SHA256:

http://d2.smd.net/.ssl/SHA256.png

Compare both side by side. As you can see under "signature algorithm"
the old certificate uses "SHA1withRSA", whereas the new mechanism
results in "SHA256withRSA".

That should be good enough. But I'm a bit confused by the "Certification
Paths" section at the end, where it shill lists SHA1 in the middle for both.

The last line then says "RSA 2048 bit SHA1withRSA" for the old cert and
"RSA 2048 bits / SHA256withRSA" for the new.

So I think these proposed changes should do the trick. What do you think?

FWIW: There *will* be a catch either way around. This is/was also the
case for the old 1024 bit certs when we went to 2048 bits:

Your Vsite already has a "certs" directory and that has a "key" in it,
which was generated with the old mechanism. When you then generate a new
certificate, it *will* re-use the existing key. This was done with
certificate prolongation in mind, as companies such as Thawte or
Verisign will not extend a certificate if the key was changed. And the
key defines how many bits the certificate has and which algorithm will
be used.

So once this update is published and you want to generate a 2048 bit
SHA256 certificate, then you *must* delete the contends of the "certs"
directory first. At least you must deleted "certs/key", or our new cert
will still have the weaker algorithm.

-- 
With best regards

Michael Stauber