Vulnerability:
SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
Synopsis:
The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits.
Description:
At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits.
Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.
Solution:
Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key of 4096 bits, and reissue any certificates signed by the old certificate.
This will help you to for any device certificate. Import the certificate in any network devices like firewall, VC device, Switches. Etc.
With a specific end objective to moderate this vulnerability, Request to generate the own self signed certificates.
2. The certificate can be generated using the open source software (Like- OpenSSL).
Download open source software from the internet which name is OpenSSL.
- Locate the Open SSL software in C:\temp\openssl and open CMD with Administrator privilege
- set the config file.
set the openssl config file
set OPENSSL_CONF=C:\openssl-1.0.2j-fips-x86_64\OpenSSL\bin\openssl.cnf
- Generate a private key using OpenSSL tool.
cd OpenSSL\bin\
openssl.exe genrsa -out private.key 2048
- Generate a Certificate-CSR using OpenSSL tool. You can customize you certificate name as per your requirement.# openssl.exe req -out netsecaddict.csr -key private.key -new -sha256
After generating CSR you will get the certificate and private key in your openssl tool folder.
- verify the hash algorithm with rsaEncryption.
openssl.exe req -in netsecaddict.csr -noout -text
- Now create a self-signed certificate using CSR and private key.
openssl x509 -req -sha256 -days 365 -in netsecaddict.csr -signkey private.key -out netsecaddict.crt
If you can see in your openssl tool folder will get three items there
- private key
- Certificate signing request (CSR)
- self-signed certificate
After the self-signed certificate has been generated, you can import the self-signed certificate into the require network device.
============================================================================
Thanks for read post if you have any query feel free to comment on below message box.
really helpful and i got the solution of SSL certification
LikeLike