Apache, SSL e CaCert.Org: differenze tra le versioni
Vai alla navigazione
Vai alla ricerca
Nessun oggetto della modifica |
|||
Riga 63: | Riga 63: | ||
Verranno generati due file: <code>dominio.it.key</code>, che rappresenta la chiave privata; <code>dominio.it.csr</code> che rappresenta la Richiesta di Sottoscrizione del Certificato. | Verranno generati due file: <code>dominio.it.key</code>, che rappresenta la chiave privata; <code>dominio.it.csr</code> che rappresenta la Richiesta di Sottoscrizione del Certificato. | ||
{{ Warningbox | Una chiave a 1024 bit potrebbe essere vulnerabile, un' avviso sulla sicurezza da CaCert potrebbe avvisarci }} | |||
<pre>CAcert recently became aware that some of the certificates signed by CAcert pose a security | |||
risk because they are backed by private keys that are vulnerable to attack. | |||
The security issues identified are: | |||
Private keys with a small key size. These keys are vulnerable to brute force attack. | |||
Private keys with an unsafe exponent. These keys are vulnerable to some specialised attacks. | |||
Private keys generated by a compromised version of OpenSSL distributed by Debian. | |||
You received this email because a certificate issued to you is vulnerable: | |||
Server Certificate, Serial 09GEF3, expiring 2011-09-14 14:36:55, CN dominio.it | |||
To rectify the problem CAcert will revoke all vulnerable certificates (including yours) on 2011-07-15. | |||
CAcert will no longer accept vulnerable certificate requests for signing. In future all Certficate | |||
Signing Requests must be backed by private keys with a key length at least 2048 bits and no other known vulnerabilities. | |||
You should submit a new Certificate Signing Request of acceptable strength as soon as possible | |||
and replace your existing certificate. | |||
If you are interested in background information on this change please refer to this document: | |||
http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf | |||
Kind regards | |||
CAcert Suport Team</pre> | |||
In tal caso occorre creare una chiave più robusta con il comando : | |||
#openssl req -nodes -newkey rsa:4096 -keyout dominio .it.key -out dominio .it.csr | |||
Il valore 4096 può essere modificato a piacere a partire da 2048 secondo gli attuali standard. | |||
<pre>Generating a 4096 bit RSA private key | |||
...........................................................++ | |||
...++ | |||
writing new private key to dominio .it.key' | |||
----- | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [AU]:IT | |||
State or Province Name (full name) [Some-State]:Parma | |||
Locality Name (eg, city) []:Grugno | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:barabba | |||
Organizational Unit Name (eg, section) []: | |||
Common Name (eg, YOUR name) []: dominio .it | |||
Email Address []:admin@ dominio .it | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []:biscottino | |||
An optional company name []:</pre> | |||
=== Richiesta del Certificato === | === Richiesta del Certificato === |