Thawte SSL Security Testing

Webgecko

Verified User
Joined
May 2, 2005
Messages
32
Location
In this Forum at the moment.
Hi Guys. Hopefully this will help a few of you and save you some time.

Thawte has been testing certifcates and sending out this message...

Code:
VeriSign has detected a security vulnerability for the certificate(s)
listed below.

....list of certs here....

If you'd like to confirm your CSR contains a weak key due to the  Debian
OpenSSL vulnerability, use our Certificate Checker

https://www.verisign.com/support/debian-csr-checker/index.html

VeriSign regards this as a critical matter that jeopardizes the  security of
your Web site and erodes the integrity of the VeriSign Trust Network.
Consequently, we are taking this matter very seriously and will begin
revoking certificates that are still affected by this flaw starting 
March 31, 2009.

Which is fine...

So....I proceeded to patch openSSL (FreeBSD 6.2), generated a new CSR for the client and it still failed. I've been scratching be head over this for days until I've finally tried the following.

Remove the old key, generate a new CSR and it's all worked fine. Apparently when a new CSR is generated in DA, it doesn't overwrite the existing key. The new CSR I was generating still failed stating that I had a weak key.

Solution - remove the old key....genereate a new CSR...submit CSR to Thawte...replace key.

Cheers!!
 
Nice one, thanks.

To check whether your (or anyone else's) SSL certificate is compromised (or based on a weak MD5 hash) use the Firefox extension SSL Blacklist.
 
Apparently when a new CSR is generated in DA, it doesn't overwrite the existing key. The new CSR I was generating still failed stating that I had a weak key.
That was an intentional change some time ago so your old Certificate would continue to work between the time you ordered a renewal Certificate and it arrived.

Jeff
 
That was an intentional change some time ago so your old Certificate would continue to work between the time you ordered a renewal Certificate and it arrived.

Jeff

Which is great...but until you've just mentioned it....who would know, especially if you've just recently started using DA. I dug through the forum for ages looking for this sort of thing happening to other, but found nothing (perhaps didn't use the right keywords...but..) Perhaps when a new CSR is generated, DA could somehow let the user know that they old key still remains in tact and possibly a suggestion on how to generate a new key?

A simple message like that would have saved me days of frustration, hassles with customers, overseas phone calls to VeriSign and a whole lot of ant-acids.

Cheers!!
 
I, too, suggest adding an option to create a new private key, set by default in case of a compromised (or based on MD5) key when creating a new certificate signing request (with a brief message).
 
Hello,

Create a self-signed certificate to create a new key.
Then create the csr again.

If you want your old cert/key working while you buy a new cert with the new key, make sure you backup your old cert/key first before creating the self-signed cert.

John
 
Back
Top