[BlueOnyx:21662] Re: Certficate 4096 bit keys

Ernie ernie at info.eis.net.au
Wed Jan 10 20:13:40 -05 2018 

Hi Michael,
is there any progress on adding this.
Just had the CSR 2509R generates rejected on Thawte/Verisign with a vauge error message:

"The CSR contains a weak key due to a known vunerability on Debian and
Ubuntu-based operating systems" of course that's not us, when I go to click
the link for more info it's a page not found grrr...

My first thoughts were that it's related to this 4096 bit caper, and the
error message was misleading.

This is the link to their CSR checking tool that was coming up with the
error:

https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp


- Ernie.




> 
> Hi Ernie,
> 
> > Are the keys generated by BlueOnyx campatible with this 4096-bit RSA key
> > format?
> 
> Not yet. Like everyone else we're still doing the "genrsa" stage of the
> CSR generation with 2048 bit:
> 
> sub _gen_private_key {
>  my $cert_dir = shift;
> 
>  Sauce::Util::modifyfile("$cert_dir/key");
>  system($OPENSSL, 'genrsa', '-out', "$cert_dir/key", '2048', '-sha256');
>  Sauce::Util::chmodfile(0640, "$cert_dir/key");
> 
>  return ($? ? 0 : 1);
> }
> 
> But that is trivial to fix. We just need a pulldown in the GUI to let
> you choose if you want 2048 (current default) or 4096 bit and this
> subroutine then uses whatever you specified.
> 
> That would cover 4096-bit and SHA-256.
> 
> However, the notice said: "4096-bit RSA key, P-384 ECC key, and SHA-256".
> 
> I'm not sure where "P-384 ECC" fits in there, as that would be used
> during the "genpkey" stage like this:
> 
> ECC P-384:
> ==========
> 
> openssl genpkey -algorithm EC \
>     -pkeyopt ec_paramgen_curve:P-384 \
>     -pkeyopt ec_param_enc:named_curve |
>   openssl pkcs8 -top8 -nocrypt -outform der > p384-private-key.p8
> 
> 
> So I need to check where we create the private key and fiddle with it's
> generation as well.
> 
> 
> Anyway, Ernie: Thanks for the heads up. I'll look into it.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> 


-- 
"I Ping therefore I am."

More information about the Blueonyx mailing list