<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Good morning,</p>
<p><br /></p>
<p>We are running our own home ca, for generating certificates for our backup system. The new operating systems being recently backed up, have started saying :</p>
<p><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>openssl.c:67-0 jcr=0 Error loading certificate file: ERR=error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak</em></span></strong></span></p>
<p>I have seen it's an error you could workaround by setting SECLEVEL to 1 in the CipherString in openssl.conf... basically, some sort of this :</p>
<p><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>openssl_conf = default_conf</em></span></strong></span><br /><br /><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>[default_conf]</em></span></strong></span><br /><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>ssl_conf = ssl_sect</em></span></strong></span><br /><br /><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>[ssl_sect]</em></span></strong></span><br /><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>system_default = system_default_sect</em></span></strong></span><br /><br /><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>[system_default_sect]</em></span></strong></span><br /><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>MinProtocol = TLSv1.2</em></span></strong></span><br /><span style="font-size: 8pt;"><strong><span style="font-family: comic sans ms, sans-serif;"><em>CipherString = <a href="mailto:DEFAULT@SECLEVEL=2">DEFAULT@SECLEVEL=2</a></em></span></strong></span></p>
<p>I'm not happy with this way of fixing this... so I have planned to investigate and see what are the differences between SECLEVEL 2 and 1. I have seen that SECLEVEL 2, requires 2048 bit keys. No problem with that. I think the problem comes with the signature algorithm : "Signature Algorithm: sha1WithRSAEncryption".</p>
<p>I think that is the problem, the sha1. So... I have built Openssl 3.0.2 and now was planning and thinking which could be the following steps. I have seen that the own CA uses sha1WithRSAEncryption signature algorithm. I assume this is one of the things to change, so I have planned to convert the whole PKI, the whole CA to another supported Signature algorithm that had no issues with SECLEVEL2.</p>
<p>But as am not an expert in OpenSSL.. I would like to ask a couple of questions :</p>
<p><br /></p>
<p>1 - Is it possible to update a whole CA with 2048 bit public and private keys (I used in req section of openssl.conf, the default_bits to 2048) to a Signature algorithm that don't bother the SECLEVEL 2?. I mean to have two versions of the same certificate. One for SECLEVEL1 and one for SECLEVEL2?. I preserve all csr and so....</p>
<p><br /></p>
<p>2 - I was wondering too another question... although this is not urgent now. If the CA key pair, is almost expiring what's the proper process of doing what is supposed to be done?. I assume, it could be :</p>
<p>+ Create a new ca key pair.</p>
<p>+ Sign and generate all the certificates with the new CA.... so that when the old CA, expires to happen that no certificate depends on the old CA key pair?.</p>
<p>But... I assume I would have to use a different CN for the new CA?. Perhaps is this same process the one I need to do.... for converting certificates from SECLEVEL 1 friendly to SECLEVEL 2 friendly?.</p>
<p><br /></p>
<p>Any help would be very highly really appreciated. Very thankful for your time.</p>
<p>Best regards,</p>
<p><br /></p>
<p><br /></p>
<p><br /></p>
<p><br /></p>
</body></html>