Submitted by sgrayban on Sun, 01/31/2010 - 08:26
The SSL default key size should be changed from 512 to 2048 because the PCI standards and all SSL CA Authorities now enforce a 2048 bit key as of January 1, 2010. If you try to use a 1024 bit key generated CSR it will be rejected, Godaddy has done this and so has Enom.
The module Virtualmin Virtual Servers config is showing 512 as the webmin default and should be changed.
Webmin/Usermin should be changed as well along with anything else that auto-generates a SSL key.
Status:
Closed (fixed)
Comments
Submitted by sgrayban on Sun, 01/31/2010 - 08:43 Comment #1
For info about Godaddy rejecting CSR with less then a 2048 key see http://help.godaddy.com/article/5619
Submitted by JamieCameron on Sun, 01/31/2010 - 11:37 Comment #2
Virtualmin 3.77 will increase the default key size to 2048.
Submitted by sgrayban on Sun, 01/31/2010 - 11:46 Comment #3
BTW this is very important about the key size and current SSL certs and everyone needs to be aware of it.
So can you make an announcement about this ? Everyone that is using webmin under ssl needs to re-key there cert to 2048 and anyone that has a certificate they bought in the last 11 months needs to re-key them and re-submit a new CSR because December 31, 2010 ALL Root Certificate Authorities will be removing all root CA's with 1024 keys.
If they don't there ssl cert will overlap that date and no browser will allow them.
Submitted by JamieCameron on Sun, 01/31/2010 - 14:12 Comment #4
Wait .. are you sure that as of 31th december all 1024-bit keys are going to stop working? Even if root CAs stop issuing or using 1024-bit keys themselves, existing keys will still work.
Submitted by sgrayban on Sun, 01/31/2010 - 16:23 Comment #5
Yup very positive.
The following are the requirements established by the Certificate Authority Browser Forum for Extended Validation Certificates:
Microsoft®, for example, is a member of the Certificate Authority Browser Forum and supports these requirements for all certificates by incorporating the following requirements into their programs:
Submitted by sgrayban on Sun, 01/31/2010 - 16:33 Comment #6
In layman words.....
Come December 31, 2010 All browsers will have there 1024 Root CA's removed and any Cert signed by them will fail because the Root CA that made them is gone.
Mozilla is a member of the Certificate Authority Browser Forum so that means Firefox will be affected.
Also all the ca-certs in debian will be upgrade to only have the 2048 key root ca's.
However they could remove all those root ca's before December too which is why I asked you to make an announcement about this.
I am voting member of the Internet Society (ISOC) - www.isoc.org - and we have been talking about this for a year now. It will happen by the end of the year or earlier.
Submitted by JamieCameron on Sun, 01/31/2010 - 20:18 Comment #7
Do you have a pointed to a website announcing this? I find it hard to believe that some browser change is going to break all websites whose SSL certs were created with only 1024 bit keys, as there must be millions of domains out there. I could believe that they will begin requiring new certs to be 2048 bits, but that is less worrying ..
Submitted by sgrayban on Sun, 01/31/2010 - 21:41 Comment #8
I did point you to a article about it in comment #1... didn't read it ?
If you want more links google "Certificate Authority Browser Forum"
Submitted by sgrayban on Sun, 01/31/2010 - 21:58 Comment #9
Since you won't take my abbreviated version you can also start with reading the links below:
http://www.cabforum.org/documents.html
http://www.cabforum.org/forum.html - CA/Browser Forum members
http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.01.01_60/ts_... - guidelines
http://www.cabforum.org/EV_Certificate_Guidelines_V11.pdf
Appendix A
3. Subscriber Certificates
Certificate issued on or before 31 Dec 2010...
RSA: 1024 or 2048 (Note: subscriber certificates containing a 1024 bit RSA key MUST expire on or before 31 Dec 2010)
Can't get any more plain here. Believe me now ?
Submitted by JamieCameron on Sun, 01/31/2010 - 23:19 Comment #10
So according to that GoDaddy page :
All end entity certificates issued after December 31st, 2010 must have a minimum of 2048-bit RSA keys.
Which means that any cert that is valid now will continue to be valid, even after 31st december 2010.
I totally understand that the default needs to be 2048 bits .. but the way I'm reading it, certs smaller than 2048 bits which haven't expired will still be valid after December 31st.
Submitted by sgrayban on Sun, 01/31/2010 - 23:27 Comment #11
Seriously.... you guys do not read each line but skim over them....
Microsoft is part of this cabal.... They said that ALL THERE ROOT CA's THAT ARE 1024 KEY BIT WILL BE REMOVED FROM THERE IE BROWSER so even though the website Cert is supposely valid it will NOT EVER be VALID because the ROOT CA that signed it is now gone.... the same goes for Opera and Mozilla....
Get it now ?
Even I can read that and understand what the flippin issue is going to be. If you guys don't then forget it.. I really tried my best to write this in American English but I have failed.
Submitted by sgrayban on Sun, 01/31/2010 - 23:40 Comment #12
And you didn't read anything else like the PDF's that I read to also understand what is going on.
Ok here is another way to explain this.. if you don't get with this example just close the ticket and enjoy life.
No 1024 bit Root CA's after 12.31.2011 in any browser = $100 SSL cert that is considered a self-signed cert
Submitted by JamieCameron on Mon, 02/01/2010 - 01:48 Comment #13
Ok, how about if Virtualmin was to warn if the CA cert used to sign a domain's cert was less than 2048 bits? That would be do-able, and based on my conversation with Eric detects the situation that will occur after 31st December..
Submitted by Issues on Mon, 02/15/2010 - 02:21 Comment #14
Automatically closed -- issue fixed for 2 weeks with no activity.