Friday, August 12, 2011

Issues with new SSL certificate. 2047 bits instead of 2048 bits.

A customer of mine had their Verisign SSL certificate expire in a few days, so they asked me to renew it.

They are using IBM HTTP server(IHS) where iKeyman is beeing used to manage the certificates.

So I went in, opened up iKeyman from the startmenu (windows), found the CMS key database used by the IHS and examined the certificate.
They were using a 1024 bit encrypted SSL certificate. This would not work, so I had to generate a new CSR request with 2048 bit encryption. Why?
As Verisign themself say:
To meet industry standards and security best practices, 2048-bit private keys are required for all SSL and code signing certificates after 1 October, 2013.
Therefore, any certificate whose validity period will extend past 1 October, 2013 must have a 2048-bit key or stronger

So I did, generated a CSR request and tried to select 2048 bits. THIS WAS NOT AN OPTION in iKeyman. Highest encryption I could select was 1024....

So I googled a bit, and found this page:

Ok, so I followed the instructions, removed the gskim.jar file and started up iKeyman once again. Voila, I could select 2048 bits encryption.

I then pasted in the CSR info into the "renew certificate" input box on the Verisign renewal website.
This did not work. Verisign said that the CSR was not a 2048 bits request!

Google once more, found this page:
Where I could analyze my CSR.
And the result said that the CSR was at a 2047 bits encryption level!!

Googled again and found this page:

So either upgrade the IHS and the JAVA to solve this. (IHS version at this customer was 6.0.2, so pretty old).

Or do as I did:
I had WebSphere Portal installed on this server, which the customer in fact had upgraded, so the java version here was newer than the one used by the IHS/iKeyman.

I found ikeyman.bat under the $IHS_INSTALLDIR\bin folder, copied it and called it ikeyman2.bat.
Edited it in Notepad, and changed the $JAVA_HOME variable to point to the java dir for the WAS server. (the directory below the \bin directory where java.exe exists).

I then started up ikeyman2.bat, generated a new CSR and voila, the CSR i then got was finally 2048 bits.

And of course I recommended the customer to upgrade to a newer version as well :-)

No comments: