ispconfig 2, apache thawte root hierachy update

Discussion in 'Installation/Configuration' started by sygram, Sep 4, 2010.

  1. sygram

    sygram Member

    Hi to all,

    i would like your advice since i do not want to mess up anything on my production system.

    I am running a centos 5 system with ispconfig 2. Thawte recently announced that "On June 27th, 2010 Thawte upgraded its root hierachy to 2048bit RSA Keys to enhance the security of all SSL products"

    They advise to download the two pre-packaged Intermediate CA's in a single file for a quick and easy install on to your web server :

    I downloaded the one for Apache - file : SSL_CA_Bundle.pem

    Now they recommend to have 3 lines to your vhost file :

    * SSLCertificateFile /usr/local/ssl/crt/domainname.crt
    * SSLCertificateKeyFile /usr/local/ssl/private/server.key
    * SSLCACertificateFile /usr/local/ssl/crt/cabundle.crt

    i checked my configuration and isp config has generated two lines :

    SSLCertificateFile /var/www/web12/ssl/
    SSLCertificateKeyFile /var/www/web12/ssl/

    Does this mean that i have to place the pem file to /var/www/web12/ssl/ directory and add a line :

    SSLCACertificateFile /usr/local/ssl/crt/SSL_CA_Bundle.pem to the configuration ? (via ispconfig extra directives ...)

    Also replace the ssl certificate to the domain...

    I appreciate your replies.


  2. falko

    falko Super Moderator ISPConfig Developer

    Yes, I think it should work that way.
  3. sygram

    sygram Member

    Thanks Falko,

    actually it did work but i got this message when testing my certificate :

    "1024 bit key found
    The certificate being presented by the server has a keysize of less than 2048 bits; while not a security issue, when this certificate is being renewed, a new private key and CSR with a keysize of 2048 bits or better should be generated. 2048 bit keys for SSL certificates will be required starting January 2011."

    Is there a way to optionally generate a 2048 bit csr and key from ispconfig ? As the message indicates it will be mandatory after January 2011 (4 months from now).


  4. falko

    falko Super Moderator ISPConfig Developer

    What's your ISPConfig version? The latest release (2.2.37) supports 4096 bit.
  5. sygram

    sygram Member

    i still have 2.2.34 on that server so i guess i will have to update to .37 . On another machine i have .36 but i do not see any option to select the key size. Will a 4096 bit csr be ok for a 2048 bit root key ?
  6. falko

    falko Super Moderator ISPConfig Developer

    It's hard-coded into the source code.

    Haven't tried this, so I can't tell.

Share This Page