Discussion:
OpenSSL method for creating certificate outdated for Google Chrome?
(too old to reply)
Thomas Barth
2014-12-27 11:55:09 UTC
Permalink
Hello,
I had to renew a self signed certificate for Apache2 webserver
(Apache/2.2.16 Debian) and after importing the certificate as CA, Google
Chrome still says, that the Website is using old security settings and
it may be possible that further chrome versions can't read the settings
for sure. I would like to know what I have to change to get rid of this
warning.

I used the official openssl method to create the certificate as
described in https://www.openssl.org/docs/HOWTO/certificates.txt

# generate private rsa key
openssl genrsa -out sub.domain.key 4096

# creating a self-signed test certificate
openssl req -new -x509 -key sub.domain.key -out sub.domain.crt -days 1095

In apache2 default-ssl
SSLEngine on
SSLCertificateFile /etc/ssl/certs/sub.domain.crt
SSLCertificateKeyFile /etc/ssl/certs/sub.domain.key


In another docu I read to add the following lines to get more security

SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

But with these settings I get the same warning.

The webserver is not really public, it s only used by a very small group
of people who all import the self signed certificate. But what could
cause the warning in Google Chrome?

Thomas B.
a***@gmail.com
2019-01-14 16:38:47 UTC
Permalink
Post by Thomas Barth
Hello,
I had to renew a self signed certificate for Apache2 webserver
(Apache/2.2.16 Debian) and after importing the certificate as CA, Google
Chrome still says, that the Website is using old security settings and
it may be possible that further chrome versions can't read the settings
for sure. I would like to know what I have to change to get rid of this
warning.
I used the official openssl method to create the certificate as
described in https://www.openssl.org/docs/HOWTO/certificates.txt
# generate private rsa key
openssl genrsa -out sub.domain.key 4096
# creating a self-signed test certificate
openssl req -new -x509 -key sub.domain.key -out sub.domain.crt -days 1095
In apache2 default-ssl
SSLEngine on
SSLCertificateFile /etc/ssl/certs/sub.domain.crt
SSLCertificateKeyFile /etc/ssl/certs/sub.domain.key
In another docu I read to add the following lines to get more security
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
But with these settings I get the same warning.
The webserver is not really public, it s only used by a very small group
of people who all import the self signed certificate. But what could
cause the warning in Google Chrome?
Thomas B.9
Hello,
I had to renew a self signed certificate for Apache2 webserver
(Apache/2.2.16 Debian) and after importing the certificate as CA, Google
Chrome still says, that the Website is using old security settings and
it may be possible that further chrome versions can't read the settings
for sure. I would like to know what I have to change to get rid of this
warning.
I used the official openssl method to create the certificate as
described in https://www.openssl.org/docs/HOWTO/certificates.txt
# generate private rsa key
openssl genrsa -out sub.domain.key 4096
# creating a self-signed test certificate
openssl req -new -x509 -key sub.domain.key -out sub.domain.crt -days 1095
In apache2 default-ssl
SSLEngine on
SSLCertificateFile /etc/ssl/certs/sub.domain.crt
SSLCertificateKeyFile /etc/ssl/certs/sub.domain.key
In another docu I read to add the following lines to get more security
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
But with these settings I get the same warning.
The webserver is not really public, it s only used by a very small group
of people who all import the self signed certificate. But what could
cause the warning in Google Chrome?
Thomas B.
Lorinczy Zsigmond
2019-01-24 10:26:22 UTC
Permalink
Woould you mind quoting the complete error message you got from Chrome?
D. Stussy
2019-02-06 06:56:18 UTC
Permalink
Post by Thomas Barth
Hello,
I had to renew a self signed certificate for Apache2 webserver
(Apache/2.2.16 Debian) and after importing the certificate as CA, Google
Chrome still says, that the Website is using old security settings and
it may be possible that further chrome versions can't read the settings
for sure. I would like to know what I have to change to get rid of this
warning.
I used the official openssl method to create the certificate as
described in https://www.openssl.org/docs/HOWTO/certificates.txt
# generate private rsa key
openssl genrsa -out sub.domain.key 4096
...
It's not your commands or Apache configuration that's biting you. It's the openssl configuration.

Look for the "default_md" parameter in the "CA_default" section and make certain it says sha256 or better.

You could also look at the "-text" output of your certificate(s) and make certain they're not starting with "sha1" or "md5". If
they are, you need to regenerate them. Don't forget that if you're using TLSA records in your DNS zones to regenerate the
signatures as well.

Loading...