Hi to all, i would like your advice since i do not want to mess up anything on my production system. I am running a centos 5 system with ispconfig 2. Thawte recently announced that "On June 27th, 2010 Thawte upgraded its root hierachy to 2048bit RSA Keys to enhance the security of all SSL products" They advise to download the two pre-packaged Intermediate CA's in a single file for a quick and easy install on to your web server : https://search.thawte.com/support/s...s/index?page=content&actp=CROSSLINK&id=AR1373 I downloaded the one for Apache - file : SSL_CA_Bundle.pem Now they recommend to have 3 lines to your vhost file : * SSLCertificateFile /usr/local/ssl/crt/domainname.crt * SSLCertificateKeyFile /usr/local/ssl/private/server.key * SSLCACertificateFile /usr/local/ssl/crt/cabundle.crt i checked my configuration and isp config has generated two lines : SSLCertificateFile /var/www/web12/ssl/www.domain.com.crt SSLCertificateKeyFile /var/www/web12/ssl/www.domain.com.key Does this mean that i have to place the pem file to /var/www/web12/ssl/ directory and add a line : SSLCACertificateFile /usr/local/ssl/crt/SSL_CA_Bundle.pem to the configuration ? (via ispconfig extra directives ...) Also replace the ssl certificate to the domain... I appreciate your replies. Regards, Leon
Thanks Falko, actually it did work but i got this message when testing my certificate : "1024 bit key found The certificate being presented by the server has a keysize of less than 2048 bits; while not a security issue, when this certificate is being renewed, a new private key and CSR with a keysize of 2048 bits or better should be generated. 2048 bit keys for SSL certificates will be required starting January 2011." Is there a way to optionally generate a 2048 bit csr and key from ispconfig ? As the message indicates it will be mandatory after January 2011 (4 months from now). Regards, Leon
i still have 2.2.34 on that server so i guess i will have to update to .37 . On another machine i have .36 but i do not see any option to select the key size. Will a 4096 bit csr be ok for a 2048 bit root key ?
