• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Do I need to re-generate my self-signed SSL Certificate after upgrading OpenSSL?

K

Kroptokin

Regular Pleskian
Hi

I have installed the 7 April release of OpenSSL (OpenSSL 1.0.1g 7 Apr 2014) as my machine had a vulnerable version installed.

My Plesk Admin panel is protected with the 'default certificate'. This is the self-generated certificate that provides SSL encryption but is not signed by a recognized certificate issuer. It was pre-installed on the system when I got it.

From what I have read about Heartbleed I will need to revoke that SSL Certificate and create a new one.

Firstly. Is this correct?

Secondly, how do I do this? I found this Parallels documentation for Plesk 11.5: http://kb.parallels.com/en/6140 . However I don't get beyond the first step as there is no file openssl.conf on my system.

Update:

Ok. I have found that it looks like you can do this through the Control Panel. Tools & Settings.... SSL Certificates... Add SSL Certificate. Choose Self-Signed and it will generate one for you.

That looks easy. - Just one question; what do I put as the domain? I access the Control Panel with an IP and port . Do I just put the IP?

And; do I need to do anything to revoke the old certificate?

Thank you

--Justin Wyllie
 
Last edited:
Yes that is correct, you should either create a new Self-Signed certificate or get a "Real Certificate" re-issued once your system is patched of course.

I'm pretty sure you can use an IP instead of a domain, I can at my CA at least.

Since Plesk only creates a 2048bit Self-Signed, you can always create one via ssh...

Create a Self-Signed cert with a 8192Bit Public Key and SHA384 valid for 2 years
Code: 
openssl req -x509 -nodes -days 730 -sha384 -newkey rsa:8192 -keyout /etc/ssl/private/domain.key -out /etc/ssl/certs/domain.crt

Download and copy the text in to a new SSL in the Plesk Panel.

Hope that helps

Kind regards

Lloyd
 
Last edited:
Thanks Lloyd

I tried to do it manually and copied the files to /etc/httpd/conf. It didn't work. So I abandoned the operation and used the Control Panel. Having done all that I discovered that Plesk keeps the keys in /usr/local/psa/var/certificates


Anyhow I decided to stick with the Plesk route as using Plesk for everything is my general policy. How much less security do you think I have using 2048 bits rather than 8192?

Finally; using the Plesk control panel I have to use a domain name. It won't accept an IP address.

Regards

Justin
 
Last edited:
No problem, yeah you will have to download the .key and crt file using SFTP, once downloaded to your machine you can "Open With" notepad or preferably Notepad++ (Does UNIX, ANSI and UTF formats) and copy n paste the text over into a new cert in the Plesk Panel :)

And since you downloaded the cert install it to your root store (assuming you're using Windows, again).

I'm not sure exactly "how much less secure" but if I can create stronger I do :)

Another example:
Code: 
openssl req -x509 -nodes -days 730 -sha256 -newkey rsa:4096 -keyout /etc/ssl/private/domain.key -out /etc/ssl/certs/domain.crt

Hope it helps

Kind regards

Lloyd
 
I feel the answer given here is wrong. The heartbleed bug does not very easily show the private key to prying eyes. It only leaks little bits of memory, which _might_ contain parts of the private key. Cloudflare actually asks their users to retrieve the private key from a specially setup webserver, and I believe it took the attackers 30 million or something requests to retrieve the entire key.

Thus, the change that your private key was leaked is very, very, very unlikely. Especially with a self-signed certificate I wouldn't bother with replacing them.
 
Tozz said:
I feel the answer given here is wrong. The heartbleed bug does not very easily show the private key to prying eyes. It only leaks little bits of memory, which _might_ contain parts of the private key. Cloudflare actually asks their users to retrieve the private key from a specially setup webserver, and I believe it took the attackers 30 million or something requests to retrieve the entire key.

Thus, the change that your private key was leaked is very, very, very unlikely. Especially with a self-signed certificate I wouldn't bother with replacing them.
Click to expand...

I take your point. On the other hand it didn't take long to do and brings peace of mind.
 
newkey rsa:8192 please beware the rsa standard is method applied by ransoimware to encode files: http://nabzsoftware.com/types-of-threats/rsa-4096

rsa-4096-ransom-instructions.png
 
You must log in or register to reply here.

Similar threads

K
Question Assistance Installing 3rd Party SSL Certificate
Replies
4
Views
2K
learning_curve
learning_curve
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
2K
Leta
L
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
2K
deepnpisgah
D
K
Question How do I restore an SSL Certificate on a different server?
Replies
4
Views
2K
Kroptokin
K
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
879
carlsson
carlsson
Back
Top