Certificate authority changes with OpenSSL

egoitz at ramattack.net egoitz at ramattack.net
Thu Mar 17 18:51:43 UTC 2022 

Good morning, 

We are running our own home ca, for generating certificates for our
backup system. The new operating systems being recently backed up, have
started saying : 

_OPENSSL.C:67-0 JCR=0 ERROR LOADING CERTIFICATE FILE:
ERR=ERROR:140AB18E:SSL ROUTINES:SSL_CTX_USE_CERTIFICATE:CA MD TOO WEAK_ 

I have seen it's an error you could workaround by setting SECLEVEL to 1
in the CipherString in openssl.conf... basically, some sort of this : 

_OPENSSL_CONF = DEFAULT_CONF_

_[DEFAULT_CONF]_
_SSL_CONF = SSL_SECT_

_[SSL_SECT]_
_SYSTEM_DEFAULT = SYSTEM_DEFAULT_SECT_

_[SYSTEM_DEFAULT_SECT]_
_MINPROTOCOL = TLSV1.2_
_CIPHERSTRING = DEFAULT at SECLEVEL=2_ 

I'm not happy with this way of fixing this... so I have planned to
investigate and see what are the differences between SECLEVEL 2 and 1. I
have seen that SECLEVEL 2, requires 2048 bit keys. No problem with that.
I think the problem comes with the signature algorithm : "Signature
Algorithm: sha1WithRSAEncryption". 

I think that is the problem, the sha1. So... I have built Openssl 3.0.2
and now was planning and thinking which could be the following steps. I
have seen that the own CA uses sha1WithRSAEncryption signature
algorithm. I assume this is one of the things to change, so I have
planned to convert the whole PKI, the whole CA to another supported
Signature algorithm that had no issues with SECLEVEL2. 

But as am not an expert in OpenSSL.. I would like to ask a couple of
questions : 

1 - Is it possible to update a whole CA with 2048 bit public and private
keys (I used in req section of openssl.conf, the default_bits to 2048)
to a Signature algorithm that don't bother the SECLEVEL 2?. I mean to
have two versions of the same certificate. One for SECLEVEL1 and one for
SECLEVEL2?. I preserve all csr and so.... 

2 - I was wondering too another question... although this is not urgent
now. If the CA key pair, is almost expiring what's the proper process of
doing what is supposed to be done?. I assume, it could be : 

+ Create a new ca key pair. 

+ Sign and generate all the certificates with the new CA.... so that
when the old CA, expires to happen that no certificate depends on the
old CA key pair?. 

But... I assume I would have to use a different CN for the new CA?.
Perhaps is this same process the one I need to do.... for converting
certificates from SECLEVEL 1 friendly to SECLEVEL 2 friendly?. 

Any help would be very highly really appreciated. Very thankful for your
time. 

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220317/3c1b85a5/attachment.htm>

More information about the openssl-users mailing list