Certificate authority changes with OpenSSL
Good morning, We are running our own home ca, for generating certificates for our backup system. The new operating systems being recently backed up, have started saying : _OPENSSL.C:67-0 JCR=0 ERROR LOADING CERTIFICATE FILE: ERR=ERROR:140AB18E:SSL ROUTINES:SSL_CTX_USE_CERTIFICATE:CA MD TOO WEAK_ I have seen it's an error you could workaround by setting SECLEVEL to 1 in the CipherString in openssl.conf... basically, some sort of this : _OPENSSL_CONF = DEFAULT_CONF_ _[DEFAULT_CONF]_ _SSL_CONF = SSL_SECT_ _[SSL_SECT]_ _SYSTEM_DEFAULT = SYSTEM_DEFAULT_SECT_ _[SYSTEM_DEFAULT_SECT]_ _MINPROTOCOL = TLSV1.2_ _CIPHERSTRING = DEFAULT@SECLEVEL=2_ I'm not happy with this way of fixing this... so I have planned to investigate and see what are the differences between SECLEVEL 2 and 1. I have seen that SECLEVEL 2, requires 2048 bit keys. No problem with that. I think the problem comes with the signature algorithm : "Signature Algorithm: sha1WithRSAEncryption". I think that is the problem, the sha1. So... I have built Openssl 3.0.2 and now was planning and thinking which could be the following steps. I have seen that the own CA uses sha1WithRSAEncryption signature algorithm. I assume this is one of the things to change, so I have planned to convert the whole PKI, the whole CA to another supported Signature algorithm that had no issues with SECLEVEL2. But as am not an expert in OpenSSL.. I would like to ask a couple of questions : 1 - Is it possible to update a whole CA with 2048 bit public and private keys (I used in req section of openssl.conf, the default_bits to 2048) to a Signature algorithm that don't bother the SECLEVEL 2?. I mean to have two versions of the same certificate. One for SECLEVEL1 and one for SECLEVEL2?. I preserve all csr and so 2 - I was wondering too another question... although this is not urgent now. If the CA key pair, is almost expiring what's the proper process of doing what is supposed to be done?. I assume, it could be : + Create a new ca key pair. + Sign and generate all the certificates with the new CA so that when the old CA, expires to happen that no certificate depends on the old CA key pair?. But... I assume I would have to use a different CN for the new CA?. Perhaps is this same process the one I need to do for converting certificates from SECLEVEL 1 friendly to SECLEVEL 2 friendly?. Any help would be very highly really appreciated. Very thankful for your time. Best regards,
CA upgrade in several aspects
Good afternoon,
I'm running a CA, for generating the certificates for the backup clients
of my network and for the backup servers too. The certificates are used
for encrypting the backups stored in the servers and too, for
comunicating over TLS between severs and clients.
This CA has some years now and the certificates I generate for new
clients, are not working (directly) in new machines. The reason for that
is that new operating systems, are requiring stronger signing
algorithms. When you try to start the service using that certificates
(bacula file daemon) in a fresh new Debian for instance, systemd throws
the following error :
_OPENSSL.C:68 ERROR LOADING CERTIFICATE FILE: ERR=ERROR:140AB18E:SSL
ROUTINES:SSL_CTX_USE_CERTIFICATE:CA MD TOO WEAK_
I know you can fix that with the following change in openssl.conf :
_CIPHERSTRING = DEFAULT@SECLEVEL=2_
_CIPHERSTRING = DEFAULT@SECLEVEL=1_
But this last way, does not convince me... so I have started debugging
what exactly was causing the the problem. I saw, that sha1 is not
allowed as a signing valid algorithm for SECLEVEL 2. So, I tried moving
the CA to a more recent testing machine (with a newer OpenSSL
1.1.1l-freebsd), and I modified too in the openssl.conf of the CA (The
openssl.conf existing in the CA dir for generating certs and so...) :
I have attached the old version. The new using version in the testing
machine, is the old one plus the below changes :
- Added the line : "signer_digest = sha256"
- Modified the line : "digests= md5, sha1" by "digests =
sha1, sha256, sha384, sha512"
- Added the line : "ess_cert_id_alg= sha1"
Now... I have generated a new certificate by following the normal
procedure... generate the key and csr... later sing new cert... etc
etc.
This new generated certificate (signed with sha256WithRSAEncryption
algorithm), has worked with a newer version of the Bacula client and in
a almost new Debian system. So it seems, just by generating new
certificates, using them in that new machines, with a newer os and
keeping the old ca certificate, at least the service has started. We
have too, another master public key for encrypting content (which is an
oldly generated certificate signed with sha1WithRSAEncryption) that we
keep in case a customer looses it's keys for avoiding a possible
disaster.
I was wondering if some sort of problem could exist, by using those old
two certificates (the master public key and the old ca certifcate) with
the new generated certificate.
Now, that I have that CA, for whose purpose seems to be working, I have
started thinking... some more... I have noticed that the CA certificate
will expire in 2024. I assume that what I would have to do before that
CA cert expires could be :
- Generate a second ca cert for the CA.
- Change the ca certificate to be used (for signing and issuing new
certs) in openssl.conf :
_CERTIFICATE= $DIR/CACERT-NEW.PEM # THE CA CERTIFICATE_
- Sign again all the certificates in the CA...
- Change, all certificates in the CA (except the own ca cert which is
already changed).
- Finally replace in each servers and clients certs.
Is this a correct procedure for upgrading a CA?. I assume it can be
correct. Isn't it?. I think this procedure shouldn't break nothing
related to serials of certificates and so in the own ca. Am I wrong?.
Best regards,
+are causing to set a special config in /etc/ssl/openssl.conf saying : "# $FreeBSD: release/10.0.0/crypto/openssl/apps/openssl.cnf 238405 2012-07-12
19:30:53Z jkim $
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME= .
RANDFILE= $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = SARENET-CLOUDBACKUP-CA# The default ca section
[ SARENET-CLOUDBACKUP-CA ]
dir = /expert/SARENET-CLOUDBACKUP-CA# Where
everything is kept
certs = $dir/certs# Where the issued certs are kept
crl_dir = $dir/crl
Re: CA upgrade in several aspects
Please ignore the line below I said regards in my previous mail... it's there by error... cheers! El 2022-05-12 17:38, ego...@ramattack.net escribió: > Good afternoon, > > I'm running a CA, for generating the certificates for the backup clients of > my network and for the backup servers too. The certificates are used for > encrypting the backups stored in the servers and too, for comunicating over > TLS between severs and clients. > > This CA has some years now and the certificates I generate for new clients, > are not working (directly) in new machines. The reason for that is that new > operating systems, are requiring stronger signing algorithms. When you try to > start the service using that certificates (bacula file daemon) in a fresh new > Debian for instance, systemd throws the following error : > > _OPENSSL.C:68 ERROR LOADING CERTIFICATE FILE: ERR=ERROR:140AB18E:SSL > ROUTINES:SSL_CTX_USE_CERTIFICATE:CA MD TOO WEAK_ > > I know you can fix that with the following change in openssl.conf : > > _CIPHERSTRING = DEFAULT@SECLEVEL=2_ > > _CIPHERSTRING = DEFAULT@SECLEVEL=1_ > > But this last way, does not convince me... so I have started debugging what > exactly was causing the the problem. I saw, that sha1 is not allowed as a > signing valid algorithm for SECLEVEL 2. So, I tried moving the CA to a more > recent testing machine (with a newer OpenSSL 1.1.1l-freebsd), and I modified > too in the openssl.conf of the CA (The openssl.conf existing in the CA dir > for generating certs and so...) : > > I have attached the old version. The new using version in the testing > machine, is the old one plus the below changes : > > - Added the line : "signer_digest = sha256" > > - Modified the line : "digests= md5, sha1" by "digests = > sha1, sha256, sha384, sha512" > > - Added the line : "ess_cert_id_alg= sha1" > > Now... I have generated a new certificate by following the normal > procedure... generate the key and csr... later sing new cert... etc etc. > > This new generated certificate (signed with sha256WithRSAEncryption > algorithm), has worked with a newer version of the Bacula client and in a > almost new Debian system. So it seems, just by generating new certificates, > using them in that new machines, with a newer os and keeping the old ca > certificate, at least the service has started. We have too, another master > public key for encrypting content (which is an oldly generated certificate > signed with sha1WithRSAEncryption) that we keep in case a customer looses > it's keys for avoiding a possible disaster. > > I was wondering if some sort of problem could exist, by using those old two > certificates (the master public key and the old ca certifcate) with the new > generated certificate. > > Now, that I have that CA, for whose purpose seems to be working, I have > started thinking... some more... I have noticed that the CA certificate will > expire in 2024. I assume that what I would have to do before that CA cert > expires could be : > > - Generate a second ca cert for the CA. > > - Change the ca certificate to be used (for signing and issuing new certs) in > openssl.conf : > > _CERTIFICATE= $DIR/CACERT-NEW.PEM # THE CA CERTIFICATE_ > > - Sign again all the certificates in the CA... > > - Change, all certificates in the CA (except the own ca cert which is already > changed). > > - Finally replace in each servers and clients certs. > > Is this a correct procedure for upgrading a CA?. I assume it can be correct. > Isn't it?. I think this procedure shouldn't break nothing related to serials > of certificates and so in the own ca. Am I wrong?. > > Best regards, > > +are causing to set a special config in /etc/ssl/openssl.conf saying : "
Re: CA upgrade in several aspects
Hi Mark! Thank you so much for answering. I think that the process of issuing a new ca cert (for replacing the old ca cert with a new a certificate with more bits and better signing algorithms) should be : - Generate in the own ca a new ca cert. - Replace in openssl.conf which ca cert and ca keys should be used to issue certificates. - Then reissue all certificates. Am I wrong?. If I apply the following changes in openssl.conf from the openssl.conf I attached in my previous email, I suppose all should be fine then?. The commented changes are : - Added the line : "signer_digest = sha256" - Modified the line : "digests= md5, sha1" by "digests = sha1, sha256, sha384, sha512" - Added the line : "ess_cert_id_alg= sha1" Best regards, El 2022-05-12 18:21, Mark Hack escribió: > NIST-800-131a deprecated SHA1 signatures in January of 2013 along with > RSA1024 bit keys. You should be issuing certificates with at least RSA2048 > with SHA2 signatures, and preferably at least RSA3072 with SHA-384 signatures > and if you are re-issuing CA certs more bits is better. > > Nothing was said about CA certificates with SHA1 signatures and some > implementations will now reject these as non-compliant even if they were > issued before 2013. > > On Thu, 2022-05-12 at 17:40 +0200, egoitz--- via openssl-users wrote: > > Please ignore the line below I said regards in my previous mail... it's there > by error... > > cheers! > > El 2022-05-12 17:38, ego...@ramattack.net escribió: > > Good afternoon, > > I'm running a CA, for generating the certificates for the backup clients of > my network and for the backup servers too. The certificates are used for > encrypting the backups stored in the servers and too, for comunicating over > TLS between severs and clients. > > This CA has some years now and the certificates I generate for new clients, > are not working (directly) in new machines. The reason for that is that new > operating systems, are requiring stronger signing algorithms. When you try to > start the service using that certificates (bacula file daemon) in a fresh new > Debian for instance, systemd throws the following error : > > _OPENSSL.C:68 ERROR LOADING CERTIFICATE FILE: ERR=ERROR:140AB18E:SSL > ROUTINES:SSL_CTX_USE_CERTIFICATE:CA MD TOO WEAK_ > > I know you can fix that with the following change in openssl.conf : > > _CIPHERSTRING = DEFAULT@SECLEVEL=2_ > > _CIPHERSTRING = DEFAULT@SECLEVEL=1_ > > But this last way, does not convince me... so I have started debugging what > exactly was causing the the problem. I saw, that sha1 is not allowed as a > signing valid algorithm for SECLEVEL 2. So, I tried moving the CA to a more > recent testing machine (with a newer OpenSSL 1.1.1l-freebsd), and I modified > too in the openssl.conf of the CA (The openssl.conf existing in the CA dir > for generating certs and so...) : > > I have attached the old version. The new using version in the testing > machine, is the old one plus the below changes : > > - Added the line : "signer_digest = sha256" > > - Modified the line : "digests= md5, sha1" by "digests = > sha1, sha256, sha384, sha512" > > - Added the line : "ess_cert_id_alg= sha1" > > Now... I have generated a new certificate by following the normal > procedure... generate the key and csr... later sing new cert... etc etc. > > This new generated certificate (signed with sha256WithRSAEncryption > algorithm), has worked with a newer version of the Bacula client and in a > almost new Debian system. So it seems, just by generating new certificates, > using them in that new machines, with a newer os and keeping the old ca > certificate, at least the service has started. We have too, another master > public key for encrypting content (which is an oldly generated certificate > signed with sha1WithRSAEncryption) that we keep in case a customer looses > it's keys for avoiding a possible disaster. > > I was wondering if some sort of problem could exist, by using those old two > certificates (the master public key and the old ca certifcate) with the new > generated certificate. > > Now, that I have that CA, for whose purpose seems to be working, I have > started thinking... some more... I have noticed that the CA certificate will > expire in 2024. I assume that what I would have to do before that CA cert > expires could be : > > - Generate a second ca cert for the CA. > > - Change the ca certificate to be used (for signing and issuing new certs) in > openssl.conf : > > _CERTIFICATE= $DIR/C
