cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Generate SHA-256 CSRs by default, deprecate SHA-1 CSRs

GreenReaper shared this idea 6 years ago
Completed

Microsoft and Google are driving a migration to SHA-256 (aka SHA-2). Chrome will soon warn when it sees a SHA-1-signed certificates with expiry dates after 2015 as secure but with errors, and those which expire after 2016 as insecure. Already, SSL Labs has lowered their grade for such certificates.


cPanel should start to call openssl with the -sha256 argument in the Generate an SSL Certificate and Signing Request page, otherwise all its CSRs will be SHA-1, and requested certificates will be signed as SHA-1 (and hence, weak). This is separate from whether the key-size is 2048 or 4096 bytes.


Free certificate issuer StartSSL do not currently warn when SHA-1 CSRs are used, and don't let you generate a new certificate for the same subdomain without paying them. Users who use CSRs from the current version of cPanel may be stuck with a cert which will cause browser warnings if this isn't fixed.


I'd expect to see the option for a SHA-1 CSR, but SHA-2 should be the default and there should be big warnings around SHA-1 for users who don't know what they're doing.

Best Answer
photo

We are changing the default algorithm used for creating SSL Keys, CSRs, and Certificates, from SHA1 to SHA256. The change will go out as part of 11.46, and should be back ported to 11.44.


Also, the internal case number is 118297


Update 2014-10-30:


By default our CSRs are generated using SHA256, in 11.46. If you integrate your own CSRs into cPanel & WHM, we also accept SHA384, and SHA512.

Replies (14)

photo
2

OK cPanel, seriously, you need to get on this. My customers are already asking about SHA-2/SHA256 certificates.

photo
2

I concur.

photo
2

SHA-1 certs have become a requirement for certs that expire after 2016 for Google Chrome and Firefox :


https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know


https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/


CSR's need to default to SHA2 now…

photo
2

We have people asking too. It would be good to get this going ASAP!

photo
2

Google Says:"Within months, certificates that expire after 2016 will be affected. Relatively soon thereafter, further changes will be introduced that will impact the certificates that expire during 2016."

I realize that it takes time to move things through the cPanel planning and testing phases, before it gets into production, so I feel we don't have much time to get this implemented. Anyone from cPanel out there to acknowledge that this is being worked on?

photo
2

Nice to see this has made it to in progress :

photo
1

We are changing the default algorithm used for creating SSL Keys, CSRs, and Certificates, from SHA1 to SHA256. The change will go out as part of 11.46, and should be back ported to 11.44.


Also, the internal case number is 118297


Update 2014-10-30:


By default our CSRs are generated using SHA256, in 11.46. If you integrate your own CSRs into cPanel & WHM, we also accept SHA384, and SHA512.

photo
1

Kenneth, I don't expect a firm date, but can you give a broad guess as to when this might be back ported to 11.44? I need to give my customers something, other than "I have no idea when I will be able to fix this" :-)


Thanks much!!!


- Scott

photo
1

sneader wrote:

Kenneth, I don't expect a firm date, but can you give a broad guess as to when this might be back ported to 11.44? I need to give my customers something, other than "I have no idea when I will be able to fix this" :-)


Thanks much!!!


- Scott

We don't have another 11.44 release scheduled until after 11.46 makes it to all the tiers. I would say late November at the earliest.

photo
2

Kenneth Power wrote:

We don't have another 11.44 release scheduled until after 11.46 makes it to all the tiers. I would say late November at the earliest.
Thanks, that helps a lot! I'd be curious if there is any other way to get a SHA2/256 CSR generated that is cPanel compatible? i.e. if I needed one now, is there a work-around?

photo
3

sneader wrote:

Thanks, that helps a lot! I'd be curious if there is any other way to get a SHA2/256 CSR generated that is cPanel compatible? i.e. if I needed one now, is there a work-around?
If you need one now, you can generate one on the command line:


  1. openssl req -new -newkey rsa:2048 -nodes -sha256 -out http://www.mydomain.com.sha256.csr -keyout http://www.mydomain.key -subj "/C=US/ST=TX/L=USA/O=WHATEVER/CN=http://www.moydomain.com";

photo
1

Thanks, Kenneth!!

photo
1

Kenneth Power wrote:

We don't have another 11.44 release scheduled until after 11.46 makes it to all the tiers. I would say late November at the earliest.
With all due respect, considering the timeline of when a SHA-1 certificate will produce a warning in most browsers, that's a long time to wait. SHA-1 use has been deprecated since 2011.


EDIT: However, I just caught your suggestion to generate one from the command line. That's an accepatable workaround, thanks.

photo
1

@Kenneth -- any word on porting this to 11.44?

Replies have been locked on this page!