4

To preface, I have searched a lot but can't seem to find the right search terms.

I generated a CSR using the following command:

openssl req -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/ssl.key -out /etc/ssl/ssl.csr

With the generated CSR I got a class 2 signed cert via StartSSL.

The issue is when I view the cert info in Chrome on my site, it says the site security is outdated.

Is maybe there is an Apache2 mod_ssl setting I need to change?

Or if it's a cert issue, what OpenSSL options do I need to use to generate an up-to-date CSR request?

Thanks in advance.

Geostyx
  • 73
  • 2
    That presumably has to do with the SHA1 hash algorithm used to sign the certificate. See Google announcement here – HBruijn Dec 17 '14 at 14:49

1 Answers1

5

First, add "-sha256" to your CSR command, to ensure that you're using SHA256 instead of the less secure SHA1 or MD5 hash digests for your certificate.

Second, check to ensure that the server itself is configured to use only TLS or above. Change your SSL configuration lines (in /etc/httpd/conf.d/ssl.conf, your site files, or wherever else your distro is storing them) to be at a bare minimum this restrictive:

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:RC4+RSA:+HIGH:-MEDIUM:-LOW

For more information, there is a document specifying the lowest acceptable algorithms and key strengths on the CA/Browser Forum, in Appendix A. That link is likely to become outdated as new standards are adopted, so keep an eye on their Baseline Requirements Documents page for updates.

Hyppy
  • 15,686
  • Would this be correct for CSR? openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout techglimpse.com.key -out techglimpse.com.crt and this is my current ssl config: SSLCipherSuite AES256-SHA:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on – Geostyx Dec 17 '14 at 15:02
  • Also, should -days match the cert signing length? Class 2 StartSSL are good for 2 years – Geostyx Dec 17 '14 at 15:07
  • You can compare the ciphers used for SSL/TLS transmission security with openssl ciphers -v '<string>'. Just copy and paste the SSLCipherSuite values in there and see what differences there are. – Hyppy Dec 17 '14 at 15:09
  • 1
    @GeoStyx: The -days is only relevant in combination with the -x509 flag where you're generating a self-signed certificate. The validity period of the signed certificate is not set in the CSR, but by the CA when they create the signed certificate and probably based on how much money you gave them. – HBruijn Dec 17 '14 at 15:22
  • @HBruijn Ok, so do I not need the -x509? Would this command be what I want? openssl req -nodes -sha256 -newkey rsa:2048 -keyout ssl.key -out ssl.crt – Geostyx Dec 17 '14 at 15:34
  • 1
    Yep, but since you're creating a certificate signing just to keep things straight -out ssl.csr – HBruijn Dec 17 '14 at 15:48
  • @HBruijn Thank you so much! I rally appreciate the help :) – Geostyx Dec 17 '14 at 16:51