• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Do I need to re-generate my self-signed SSL Certificate after upgrading OpenSSL?

Kroptokin

Regular Pleskian
Hi

I have installed the 7 April release of OpenSSL (OpenSSL 1.0.1g 7 Apr 2014) as my machine had a vulnerable version installed.

My Plesk Admin panel is protected with the 'default certificate'. This is the self-generated certificate that provides SSL encryption but is not signed by a recognized certificate issuer. It was pre-installed on the system when I got it.

From what I have read about Heartbleed I will need to revoke that SSL Certificate and create a new one.

Firstly. Is this correct?

Secondly, how do I do this? I found this Parallels documentation for Plesk 11.5: http://kb.parallels.com/en/6140 . However I don't get beyond the first step as there is no file openssl.conf on my system.

Update:

Ok. I have found that it looks like you can do this through the Control Panel. Tools & Settings.... SSL Certificates... Add SSL Certificate. Choose Self-Signed and it will generate one for you.

That looks easy. - Just one question; what do I put as the domain? I access the Control Panel with an IP and port . Do I just put the IP?

And; do I need to do anything to revoke the old certificate?

Thank you

--Justin Wyllie
 
Last edited:
Yes that is correct, you should either create a new Self-Signed certificate or get a "Real Certificate" re-issued once your system is patched of course.

I'm pretty sure you can use an IP instead of a domain, I can at my CA at least.

Since Plesk only creates a 2048bit Self-Signed, you can always create one via ssh...

Create a Self-Signed cert with a 8192Bit Public Key and SHA384 valid for 2 years
Code:
openssl req -x509 -nodes -days 730 -sha384 -newkey rsa:8192 -keyout /etc/ssl/private/domain.key -out /etc/ssl/certs/domain.crt

Download and copy the text in to a new SSL in the Plesk Panel.

Hope that helps

Kind regards

Lloyd
 
Last edited:
Thanks Lloyd

I tried to do it manually and copied the files to /etc/httpd/conf. It didn't work. So I abandoned the operation and used the Control Panel. Having done all that I discovered that Plesk keeps the keys in /usr/local/psa/var/certificates


Anyhow I decided to stick with the Plesk route as using Plesk for everything is my general policy. How much less security do you think I have using 2048 bits rather than 8192?

Finally; using the Plesk control panel I have to use a domain name. It won't accept an IP address.

Regards

Justin
 
Last edited:
No problem, yeah you will have to download the .key and crt file using SFTP, once downloaded to your machine you can "Open With" notepad or preferably Notepad++ (Does UNIX, ANSI and UTF formats) and copy n paste the text over into a new cert in the Plesk Panel :)

And since you downloaded the cert install it to your root store (assuming you're using Windows, again).

I'm not sure exactly "how much less secure" but if I can create stronger I do :)

Another example:
Code:
openssl req -x509 -nodes -days 730 -sha256 -newkey rsa:4096 -keyout /etc/ssl/private/domain.key -out /etc/ssl/certs/domain.crt

Hope it helps

Kind regards

Lloyd
 
I feel the answer given here is wrong. The heartbleed bug does not very easily show the private key to prying eyes. It only leaks little bits of memory, which _might_ contain parts of the private key. Cloudflare actually asks their users to retrieve the private key from a specially setup webserver, and I believe it took the attackers 30 million or something requests to retrieve the entire key.

Thus, the change that your private key was leaked is very, very, very unlikely. Especially with a self-signed certificate I wouldn't bother with replacing them.
 
I feel the answer given here is wrong. The heartbleed bug does not very easily show the private key to prying eyes. It only leaks little bits of memory, which _might_ contain parts of the private key. Cloudflare actually asks their users to retrieve the private key from a specially setup webserver, and I believe it took the attackers 30 million or something requests to retrieve the entire key.

Thus, the change that your private key was leaked is very, very, very unlikely. Especially with a self-signed certificate I wouldn't bother with replacing them.

I take your point. On the other hand it didn't take long to do and brings peace of mind.
 
newkey rsa:8192 please beware the rsa standard is method applied by ransoimware to encode files: http://nabzsoftware.com/types-of-threats/rsa-4096

rsa-4096-ransom-instructions.png
 
Back
Top