openssl-vulnkey *.key

2-minute read
debian-etch openssl

Hopefully by now most debian sysadmins have updated their systems and regenerated any weak openssl keys found. After the disclosure from last week, the debian team has done a great job to identify any possible affected program and any type of key, and for sure there are many ;-) . Special pages were created to help peoples migrate their keys and also to identify if their keys are weak or not. In my previous post I have discussed howto indentify and regenerate the ssh vulnerable keys, obviously the most targeted by attacks against this issue. This post will answer the questions I have received on email on how you can identify and regenerate apache PEM keys (SSL certificates).

The Ubuntu team has created a package which will verify if PEM files are vulnerable or not. The package is called “openssl-blacklist”, and was repackaged for Debian and built for etch: http://xillion.org/openssl-blacklist/. Download the package and install it with dpkg:

wget http://xillion.org/openssl-blacklist/openssl-blacklist_0.1-0~debian-1_all.deb
dpkg -i openssl-blacklist_0.1-0~debian-1_all.deb

Now that you have installed openssl-blacklist you will be able to test your keys/pem using openssl-vulnkey:

openssl-vulnkey <FILE>

For example if you have all your keys (with the extension key) inside /etc/apache2/ssl you could run:

cd /etc/apache2/ssl
openssl-vulnkey *.key

or if you have also pem keys:

openssl-vulnkey *.key *.pem

If you have found weak keys you will probably want to regenerate them. Hopefully your certificate authority will offer you a free reissue for your certificate/s and this bug will not cost you even more than it has already done by now ;-) (most companies will do this for free, like_ Thawte, VeriSign, Digicert, GeoTrust_, etc.). Check your certificate authority for specific details.

Normally for the certificate regeneration you will have to:_ create a new private key_, create a new CSR (Certificate Signing Request) that you will send to your CA, that will reissue and send you back the new certificate:

openssl genrsa -out domainname.key 1024
openssl req -new -key domainname.key -out domainname.csr
cat domainname.csr -> and send this to your CA

Good luck, and hopefully this post has answered the question I got on emails, on how to identify and reissue apache ssl keys (sorry for the late replies, as it has been a crazy week).

comments powered by Disqus