Chuck Peters on 14 Dec 2015 10:45:48 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates

Michael Leone said:
> On Mon, Dec 14, 2015 at 11:18 AM, Keith C. Perry
> <> wrote:
> >
> > I'm going to guess that we are talking about certificates you have been signing for HTTPS use but if not please identify the use case(s).
> Yep, HTTPS ...
> > How did you issue them the first time?  OpenSSL?
> Yes, OpenSSL 0.9.8g on Ubuntu 9.10 (yes, it's old, but I only use it
> for the occasional certificate, and internal SFTP server).

I'm not really understanding why you want to run a CA in this case...  
If you want it for sftp, you might consider setting up DNSSEC, DANE and 
some DNS SSHFP records. With 
all that said, you would probably need to upgrade SSH...

Ubuntu 9.10 is too old for this suggestion...  But everyone can obtain 
free certificates now with, and it is so much 
easier.  And best of all, renewel of the certificates can be automated 
with a little shell script and cron.

Assuming you have DNS setup and are using a recent version of Debian 
based OS, follow these instructions!

This suggestion might be more hassle than it is worth, setup a small 
Digital Ocean VPS with a recent Debian or Ubuntu and point your DNS to 
it.  Create your certificates and then use the results on your old 
Ubuntu 9.10 box.  Renewels will be a bit of a hassle since the 
certificates are good for 90 days.  It would be possible to automate the 
renewel process using a Digital Ocean snapshot, but that seems like too 
much trouble if it is just one or two certificates.  Assuming you saved 
your work with a snapshot, and destroyed the VPS after creating the cert 
and saving the results, it would cost a $ 0.007 / hr for the VPS.  

LetsEncrypt is still in beta, setting it up on non Debian based 
distributions can be done, but it is still being worked on.

A few othe places offer free certificates, I have used StartSSL.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --