To preface, I have searched a lot but can't seem to find the right search terms.
I generated a CSR using the following command:
openssl req -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/ssl.key -out /etc/ssl/ssl.csr
With the generated CSR I got a class 2 signed cert via StartSSL.
The issue is when I view the cert info in Chrome on my site, it says the site security is outdated.
Is maybe there is an Apache2 mod_ssl setting I need to change?
Or if it's a cert issue, what OpenSSL options do I need to use to generate an up-to-date CSR request?
Thanks in advance.
Best Answer
First, add "-sha256" to your CSR command, to ensure that you're using SHA256 instead of the less secure SHA1 or MD5 hash digests for your certificate.
Second, check to ensure that the server itself is configured to use only TLS or above. Change your SSL configuration lines (in
/etc/httpd/conf.d/ssl.conf, your site files, or wherever else your distro is storing them) to be at a bare minimum this restrictive:For more information, there is a document specifying the lowest acceptable algorithms and key strengths on the CA/Browser Forum, in Appendix A. That link is likely to become outdated as new standards are adopted, so keep an eye on their Baseline Requirements Documents page for updates.