This week I decided it was past time to address the visual warning that Google’s Chrome and other web browsers are showing when connecting to the discussion forums. That site had been protected by a SHA-1 certificate issued by RapidSSL, which is owned by GeoTrust, which is now owned by Symantec. Now that I work in the retail sector my team has been very focused on replacing all the SHA-1 certificates that we use throughout our customer facing e-commerce infrastructure. No small job when you have hundreds of certificates out there with dozens if not hundreds of third-party vendors.
When you’d visit the forums you’d noticed a yellow triangle on the top of the padlock at the top of the browser instead of the traditional green padlock.
What’s the problem with SHA-1 certificates?
It’s believed that by 2018 the computing power may be available to render SHA-1 certificates vulnerable to attack. While MD5 has already proven to be cryptographically weak algorithm given the available compute resources available today, the move from SHA-1 to SHA-2 (SHA256) is really focused on future proofing our security.
How did you do it?
It was pretty straight forward, I generated a new SHA256 CSR from my host using OpenSSL,
openssl req -new -key private.key -sha256 -out forums.networkinfrastructrure.info.sha256.csr
I went to the RapidSSL homepage and clicked on “Reissue SSL” on the right hand side of the page. I provided the necessary information, validated my ownership of the domain, uploaded the new CSR and then download the new certificate. I uploaded that new certificate along with the new intermediate certificate authority to my host and replaced the certificate file within the Nginx configuration file. All that was left to-do was to restart Nginx (service nginx restart) and validate that everything was working.
Image Credit: Carsten Mueller