Chuck Peters on 14 Dec 2015 10:45:48 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Moving from SHA1 to SHA2 for self-signed certificates


Michael Leone said:
> On Mon, Dec 14, 2015 at 11:18 AM, Keith C. Perry
> <kperry@daotechnologies.com> wrote:
> >
> > I'm going to guess that we are talking about certificates you have been signing for HTTPS use but if not please identify the use case(s).
> 
> Yep, HTTPS ...
> 
> > How did you issue them the first time?  OpenSSL?
> 
> Yes, OpenSSL 0.9.8g on Ubuntu 9.10 (yes, it's old, but I only use it
> for the occasional certificate, and internal SFTP server).

I'm not really understanding why you want to run a CA in this case...  
If you want it for sftp, you might consider setting up DNSSEC, DANE and 
some DNS SSHFP records.  http://fanf.livejournal.com/130577.html With 
all that said, you would probably need to upgrade SSH...

Ubuntu 9.10 is too old for this suggestion...  But everyone can obtain 
free certificates now with https://letsencrypt.org/, and it is so much 
easier.  And best of all, renewel of the certificates can be automated 
with a little shell script and cron.

Assuming you have DNS setup and are using a recent version of Debian 
based OS, follow these instructions! 
https://letsencrypt.org/howitworks/


This suggestion might be more hassle than it is worth, setup a small 
Digital Ocean VPS with a recent Debian or Ubuntu and point your DNS to 
it.  Create your certificates and then use the results on your old 
Ubuntu 9.10 box.  Renewels will be a bit of a hassle since the 
certificates are good for 90 days.  It would be possible to automate the 
renewel process using a Digital Ocean snapshot, but that seems like too 
much trouble if it is just one or two certificates.  Assuming you saved 
your work with a snapshot, and destroyed the VPS after creating the cert 
and saving the results, it would cost a $ 0.007 / hr for the VPS.  

LetsEncrypt is still in beta, setting it up on non Debian based 
distributions can be done, but it is still being worked on.

A few othe places offer free certificates, I have used StartSSL.  
https://www.startssl.com/?app=1


Chuck
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug