• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Do I need to re-generate my self-signed SSL Certificate after upgrading OpenSSL?

K

Kroptokin

Regular Pleskian
Hi

I have installed the 7 April release of OpenSSL (OpenSSL 1.0.1g 7 Apr 2014) as my machine had a vulnerable version installed.

My Plesk Admin panel is protected with the 'default certificate'. This is the self-generated certificate that provides SSL encryption but is not signed by a recognized certificate issuer. It was pre-installed on the system when I got it.

From what I have read about Heartbleed I will need to revoke that SSL Certificate and create a new one.

Firstly. Is this correct?

Secondly, how do I do this? I found this Parallels documentation for Plesk 11.5: http://kb.parallels.com/en/6140 . However I don't get beyond the first step as there is no file openssl.conf on my system.

Update:

Ok. I have found that it looks like you can do this through the Control Panel. Tools & Settings.... SSL Certificates... Add SSL Certificate. Choose Self-Signed and it will generate one for you.

That looks easy. - Just one question; what do I put as the domain? I access the Control Panel with an IP and port . Do I just put the IP?

And; do I need to do anything to revoke the old certificate?

Thank you

--Justin Wyllie
 
Last edited:
Yes that is correct, you should either create a new Self-Signed certificate or get a "Real Certificate" re-issued once your system is patched of course.

I'm pretty sure you can use an IP instead of a domain, I can at my CA at least.

Since Plesk only creates a 2048bit Self-Signed, you can always create one via ssh...

Create a Self-Signed cert with a 8192Bit Public Key and SHA384 valid for 2 years
Code: 
openssl req -x509 -nodes -days 730 -sha384 -newkey rsa:8192 -keyout /etc/ssl/private/domain.key -out /etc/ssl/certs/domain.crt

Download and copy the text in to a new SSL in the Plesk Panel.

Hope that helps

Kind regards

Lloyd
 
Last edited:
Thanks Lloyd

I tried to do it manually and copied the files to /etc/httpd/conf. It didn't work. So I abandoned the operation and used the Control Panel. Having done all that I discovered that Plesk keeps the keys in /usr/local/psa/var/certificates


Anyhow I decided to stick with the Plesk route as using Plesk for everything is my general policy. How much less security do you think I have using 2048 bits rather than 8192?

Finally; using the Plesk control panel I have to use a domain name. It won't accept an IP address.

Regards

Justin
 
Last edited:
No problem, yeah you will have to download the .key and crt file using SFTP, once downloaded to your machine you can "Open With" notepad or preferably Notepad++ (Does UNIX, ANSI and UTF formats) and copy n paste the text over into a new cert in the Plesk Panel :)

And since you downloaded the cert install it to your root store (assuming you're using Windows, again).

I'm not sure exactly "how much less secure" but if I can create stronger I do :)

Another example:
Code: 
openssl req -x509 -nodes -days 730 -sha256 -newkey rsa:4096 -keyout /etc/ssl/private/domain.key -out /etc/ssl/certs/domain.crt

Hope it helps

Kind regards

Lloyd
 
I feel the answer given here is wrong. The heartbleed bug does not very easily show the private key to prying eyes. It only leaks little bits of memory, which _might_ contain parts of the private key. Cloudflare actually asks their users to retrieve the private key from a specially setup webserver, and I believe it took the attackers 30 million or something requests to retrieve the entire key.

Thus, the change that your private key was leaked is very, very, very unlikely. Especially with a self-signed certificate I wouldn't bother with replacing them.
 
Tozz said:
I feel the answer given here is wrong. The heartbleed bug does not very easily show the private key to prying eyes. It only leaks little bits of memory, which _might_ contain parts of the private key. Cloudflare actually asks their users to retrieve the private key from a specially setup webserver, and I believe it took the attackers 30 million or something requests to retrieve the entire key.

Thus, the change that your private key was leaked is very, very, very unlikely. Especially with a self-signed certificate I wouldn't bother with replacing them.
Click to expand...

I take your point. On the other hand it didn't take long to do and brings peace of mind.
 
newkey rsa:8192 please beware the rsa standard is method applied by ransoimware to encode files: http://nabzsoftware.com/types-of-threats/rsa-4096

rsa-4096-ransom-instructions.png
 
You must log in or register to reply here.

Similar threads

K
Question How do I restore an SSL Certificate on a different server?
Replies
4
Views
476
Kroptokin
K
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
163
carlsson
carlsson
Rendor9
Resolved I can't renew my plesk onyx interface SSL certificate.
Replies
4
Views
1K
Rendor9
Rendor9
P
Issue Error: "Unable to find row with id 0 in certificates table." when adding new self-signed certificate
Replies
0
Views
1K
pleshk
P
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
2K
iainh
I
Back
Top