Hopefully by now most debian sysadmins have updated their systems and regenerated any weak openssl keys found. After the disclosure from last week, the debian team has done a great job to identify any possible affected program and any type of key, and for sure there are many ;-) . Special pages were created to help peoples migrate their keys and also to identify if their keys are weak or not. In my previous post I have discussed howto indentify and regenerate the ssh vulnerable keys, obviously the most targeted by attacks against this issue. This post will answer the questions I have received on email on how you can identify and regenerate apache PEM keys (SSL certificates).
The Ubuntu team has created a package which will verify if PEM files are vulnerable or not. The package is called ”openssl-blacklist”, and was repackaged for Debian and built for etch: http://xillion.org/openssl-blacklist/. Download the package and install it with dpkg:
1 2 | |
Now that you have installed openssl-blacklist you will be able to test your keys/pem using openssl-vulnkey:
1
| |
For example if you have all your keys (with the extension key) inside /etc/apache2/ssl you could run:
1 2 | |
or if you have also pem keys:
1
| |
If you have found weak keys you will probably want to regenerate them. Hopefully your certificate authority will offer you a free reissue for your certificate/s and this bug will not cost you even more than it has already done by now ;-) (most companies will do this for free, like Thawte, VeriSign, Digicert, GeoTrust, etc.). Check your certificate authority for specific details.
Normally for the certificate regeneration you will have to: create a new private key, create a new CSR (Certificate Signing Request) that you will send to your CA, that will reissue and send you back the new certificate:
1 2 3 | |
Good luck, and hopefully this post has answered the question I got on emails, on how to identify and reissue apache ssl keys (sorry for the late replies, as it has been a crazy week).