Generate SHA-256 CSRs by default, deprecate SHA-1 CSRs
Microsoft and Google are driving a migration to SHA-256 (aka SHA-2). Chrome will soon warn when it sees a SHA-1-signed certificates with expiry dates after 2015 as secure but with errors, and those which expire after 2016 as insecure. Already, SSL Labs has lowered their grade for such certificates.
cPanel should start to call openssl with the -sha256 argument in the Generate an SSL Certificate and Signing Request page, otherwise all its CSRs will be SHA-1, and requested certificates will be signed as SHA-1 (and hence, weak). This is separate from whether the key-size is 2048 or 4096 bytes.
Free certificate issuer StartSSL do not currently warn when SHA-1 CSRs are used, and don't let you generate a new certificate for the same subdomain without paying them. Users who use CSRs from the current version of cPanel may be stuck with a cert which will cause browser warnings if this isn't fixed.
I'd expect to see the option for a SHA-1 CSR, but SHA-2 should be the default and there should be big warnings around SHA-1 for users who don't know what they're doing.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
We are changing the default algorithm used for creating SSL Keys, CSRs, and Certificates, from SHA1 to SHA256. The change will go out as part of 11.46, and should be back ported to 11.44.
Also, the internal case number is 118297
Update 2014-10-30:
By default our CSRs are generated using SHA256, in 11.46. If you integrate your own CSRs into cPanel & WHM, we also accept SHA384, and SHA512.
We are changing the default algorithm used for creating SSL Keys, CSRs, and Certificates, from SHA1 to SHA256. The change will go out as part of 11.46, and should be back ported to 11.44.
Also, the internal case number is 118297
Update 2014-10-30:
By default our CSRs are generated using SHA256, in 11.46. If you integrate your own CSRs into cPanel & WHM, we also accept SHA384, and SHA512.
OK cPanel, seriously, you need to get on this. My customers are already asking about SHA-2/SHA256 certificates.
OK cPanel, seriously, you need to get on this. My customers are already asking about SHA-2/SHA256 certificates.
I concur.
I concur.
SHA-1 certs have become a requirement for certs that expire after 2016 for Google Chrome and Firefox :
https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
CSR's need to default to SHA2 now…
SHA-1 certs have become a requirement for certs that expire after 2016 for Google Chrome and Firefox :
https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
CSR's need to default to SHA2 now…
We have people asking too. It would be good to get this going ASAP!
We have people asking too. It would be good to get this going ASAP!
Google Says:"Within months, certificates that expire after 2016 will be affected. Relatively soon thereafter, further changes will be introduced that will impact the certificates that expire during 2016."
I realize that it takes time to move things through the cPanel planning and testing phases, before it gets into production, so I feel we don't have much time to get this implemented. Anyone from cPanel out there to acknowledge that this is being worked on?
Google Says:"Within months, certificates that expire after 2016 will be affected. Relatively soon thereafter, further changes will be introduced that will impact the certificates that expire during 2016."
I realize that it takes time to move things through the cPanel planning and testing phases, before it gets into production, so I feel we don't have much time to get this implemented. Anyone from cPanel out there to acknowledge that this is being worked on?
Nice to see this has made it to in progress :
Nice to see this has made it to in progress :
We are changing the default algorithm used for creating SSL Keys, CSRs, and Certificates, from SHA1 to SHA256. The change will go out as part of 11.46, and should be back ported to 11.44.
Also, the internal case number is 118297
Update 2014-10-30:
By default our CSRs are generated using SHA256, in 11.46. If you integrate your own CSRs into cPanel & WHM, we also accept SHA384, and SHA512.
We are changing the default algorithm used for creating SSL Keys, CSRs, and Certificates, from SHA1 to SHA256. The change will go out as part of 11.46, and should be back ported to 11.44.
Also, the internal case number is 118297
Update 2014-10-30:
By default our CSRs are generated using SHA256, in 11.46. If you integrate your own CSRs into cPanel & WHM, we also accept SHA384, and SHA512.
Kenneth, I don't expect a firm date, but can you give a broad guess as to when this might be back ported to 11.44? I need to give my customers something, other than "I have no idea when I will be able to fix this" :-)
Thanks much!!!
- Scott
Kenneth, I don't expect a firm date, but can you give a broad guess as to when this might be back ported to 11.44? I need to give my customers something, other than "I have no idea when I will be able to fix this" :-)
Thanks much!!!
- Scott
Thanks, Kenneth!!
Thanks, Kenneth!!
EDIT: However, I just caught your suggestion to generate one from the command line. That's an accepatable workaround, thanks.
EDIT: However, I just caught your suggestion to generate one from the command line. That's an accepatable workaround, thanks.
@Kenneth -- any word on porting this to 11.44?
@Kenneth -- any word on porting this to 11.44?
Replies have been locked on this page!