Results 1 to 6 of 6

Thread: Thawte SSL Security Testing

  1. #1
    Join Date
    May 2005
    Location
    In this Forum at the moment.
    Posts
    32

    Thawte SSL Security Testing

    Hi Guys. Hopefully this will help a few of you and save you some time.

    Thawte has been testing certifcates and sending out this message...

    Code:
    VeriSign has detected a security vulnerability for the certificate(s)
    listed below.
    
    ....list of certs here....
    
    If you'd like to confirm your CSR contains a weak key due to the  Debian
    OpenSSL vulnerability, use our Certificate Checker
    
    https://www.verisign.com/support/debian-csr-checker/index.html
    
    VeriSign regards this as a critical matter that jeopardizes the  security of
    your Web site and erodes the integrity of the VeriSign Trust Network.
    Consequently, we are taking this matter very seriously and will begin
    revoking certificates that are still affected by this flaw starting 
    March 31, 2009.
    Which is fine...

    So....I proceeded to patch openSSL (FreeBSD 6.2), generated a new CSR for the client and it still failed. I've been scratching be head over this for days until I've finally tried the following.

    Remove the old key, generate a new CSR and it's all worked fine. Apparently when a new CSR is generated in DA, it doesn't overwrite the existing key. The new CSR I was generating still failed stating that I had a weak key.

    Solution - remove the old key....genereate a new CSR...submit CSR to Thawte...replace key.

    Cheers!!
    Webgecko
    --

  2. #2
    Join Date
    Oct 2007
    Location
    Switzerland
    Posts
    861
    Nice one, thanks.

    To check whether your (or anyone else's) SSL certificate is compromised (or based on a weak MD5 hash) use the Firefox extension SSL Blacklist.
    Martino Dell'Ambrogio <tillo@tillo.ch> http://www.tillo.ch/ Security Auditor

  3. #3
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,122
    Quote Originally Posted by Webgecko View Post
    Apparently when a new CSR is generated in DA, it doesn't overwrite the existing key. The new CSR I was generating still failed stating that I had a weak key.
    That was an intentional change some time ago so your old Certificate would continue to work between the time you ordered a renewal Certificate and it arrived.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  4. #4
    Join Date
    May 2005
    Location
    In this Forum at the moment.
    Posts
    32
    Quote Originally Posted by jlasman View Post
    That was an intentional change some time ago so your old Certificate would continue to work between the time you ordered a renewal Certificate and it arrived.

    Jeff
    Which is great...but until you've just mentioned it....who would know, especially if you've just recently started using DA. I dug through the forum for ages looking for this sort of thing happening to other, but found nothing (perhaps didn't use the right keywords...but..) Perhaps when a new CSR is generated, DA could somehow let the user know that they old key still remains in tact and possibly a suggestion on how to generate a new key?

    A simple message like that would have saved me days of frustration, hassles with customers, overseas phone calls to VeriSign and a whole lot of ant-acids.

    Cheers!!
    Webgecko
    --

  5. #5
    Join Date
    Oct 2007
    Location
    Switzerland
    Posts
    861
    I, too, suggest adding an option to create a new private key, set by default in case of a compromised (or based on MD5) key when creating a new certificate signing request (with a brief message).
    Martino Dell'Ambrogio <tillo@tillo.ch> http://www.tillo.ch/ Security Auditor

  6. #6
    Hello,

    Create a self-signed certificate to create a new key.
    Then create the csr again.

    If you want your old cert/key working while you buy a new cert with the new key, make sure you backup your old cert/key first before creating the self-signed cert.

    John

Similar Threads

  1. Replies: 0
    Last Post: 11-17-2012, 08:10 AM
  2. SSL sert from Thawte after renewing does not work.
    By websmith in forum User-Level Difficulties
    Replies: 7
    Last Post: 06-20-2011, 07:11 PM
  3. problem with Thawte certificate
    By rvandam in forum General Technical Discussion & Troubleshooting
    Replies: 3
    Last Post: 08-29-2009, 01:07 PM
  4. Testing out DA
    By npx in forum Installation / System Requirements
    Replies: 4
    Last Post: 04-13-2009, 03:38 PM
  5. Thawte SSL Certificates
    By jtouchet in forum Off-Topic Discussion
    Replies: 4
    Last Post: 04-23-2006, 03:01 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •