CA upgrade in several aspects

egoitz at ramattack.net egoitz at ramattack.net
Fri May 13 07:40:58 UTC 2022


Hi Mark! 

Thank you so much for answering. 

I think that the process of issuing a new ca cert (for replacing the old
ca cert with a new a certificate with more bits and better signing
algorithms) should be : 

- Generate in the own ca a new ca cert. 

- Replace in openssl.conf which ca cert and ca keys should be used to
issue certificates. 

- Then reissue all certificates. 

Am I wrong?. 

If I apply the following changes in openssl.conf from the openssl.conf I
attached in my previous email, I suppose all should be fine then?. The
commented changes are : 

- Added the line : "signer_digest  = sha256" 

- Modified the line : "digests        = md5, sha1" by "digests         =
sha1, sha256, sha384, sha512" 

- Added the line : "ess_cert_id_alg        = sha1" 

Best regards,

El 2022-05-12 18:21, Mark Hack escribió:

> NIST-800-131a deprecated SHA1 signatures in January of 2013 along with RSA1024 bit keys. You should be issuing certificates with at least RSA2048 with SHA2 signatures, and preferably at least RSA3072 with SHA-384 signatures and if you are re-issuing CA certs more bits is better. 
> 
> Nothing was said about CA certificates with SHA1 signatures and some implementations will now reject these as non-compliant even if they were issued before 2013. 
> 
> On Thu, 2022-05-12 at 17:40 +0200, egoitz--- via openssl-users wrote: 
> 
> Please ignore the line below I said regards in my previous mail... it's there by error... 
> 
> cheers!
> 
> El 2022-05-12 17:38, egoitz at ramattack.net escribió: 
> 
> Good afternoon, 
> 
> I'm running a CA, for generating the certificates for the backup clients of my network and for the backup servers too. The certificates are used for encrypting the backups stored in the servers and too, for comunicating over TLS between severs and clients. 
> 
> This CA has some years now and the certificates I generate for new clients, are not working (directly) in new machines. The reason for that is that new operating systems, are requiring stronger signing algorithms. When you try to start the service using that certificates (bacula file daemon) in a fresh new Debian for instance, systemd throws the following error : 
> 
> _OPENSSL.C:68 ERROR LOADING CERTIFICATE FILE: ERR=ERROR:140AB18E:SSL ROUTINES:SSL_CTX_USE_CERTIFICATE:CA MD TOO WEAK_ 
> 
> I know you can fix that with the following change in openssl.conf : 
> 
> _####CIPHERSTRING = DEFAULT at SECLEVEL=2_ 
> 
> _CIPHERSTRING = DEFAULT at SECLEVEL=1_ 
> 
> But this last way, does not convince me... so I have started debugging what exactly was causing the the problem. I saw, that sha1 is not allowed as a signing valid algorithm for SECLEVEL 2. So, I tried moving the CA to a more recent testing machine (with a newer OpenSSL 1.1.1l-freebsd), and I modified too in the openssl.conf of the CA (The openssl.conf existing in the CA dir for generating certs and so...) : 
> 
> I have attached the old version. The new using version in the testing machine, is the old one plus the below changes : 
> 
> - Added the line : "signer_digest  = sha256" 
> 
> - Modified the line : "digests        = md5, sha1" by "digests         = sha1, sha256, sha384, sha512" 
> 
> - Added the line : "ess_cert_id_alg        = sha1" 
> 
> Now... I have generated a new certificate by following the normal procedure... generate the key and csr... later sing new cert... etc etc..... 
> 
> This new generated certificate (signed with sha256WithRSAEncryption algorithm), has worked with a newer version of the Bacula client and in a almost new Debian system. So it seems, just by generating new certificates, using them in that new machines, with a newer os and keeping the old ca certificate, at least the service has started. We have too, another master public key for encrypting content (which is an oldly generated certificate signed with sha1WithRSAEncryption) that we keep in case a customer looses it's keys for avoiding a possible disaster. 
> 
> I was wondering if some sort of problem could exist, by using those old two certificates (the master public key and the old ca certifcate) with the new generated certificate. 
> 
> Now, that I have that CA, for whose purpose seems to be working, I have started thinking... some more... I have noticed that the CA certificate will expire in 2024. I assume that what I would have to do before that CA cert expires could be : 
> 
> - Generate a second ca cert for the CA. 
> 
> - Change the ca certificate to be used (for signing and issuing new certs) in openssl.conf : 
> 
> _CERTIFICATE    = $DIR/CACERT-NEW.PEM     # THE CA CERTIFICATE_ 
> 
> - Sign again all the certificates in the CA... 
> 
> - Change, all certificates in the CA (except the own ca cert which is already changed). 
> 
> - Finally replace in each servers and clients certs. 
> 
> Is this a correct procedure for upgrading a CA?. I assume it can be correct. Isn't it?. I think this procedure shouldn't break nothing related to serials of certificates and so in the own ca. Am I wrong?. 
> 
> Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220513/6bc40d79/attachment.htm>


More information about the openssl-users mailing list