3

We want to get 2048 bit key length CSR requests. The browser based GUI provides us with a 1024 bit CSR and I don't know how to change that.

It seems that 1024 bit key lengths will no longer supported by SSL companies. (Lower cost options only support 2048 bit. Thawte who is much more expensive say they accept 1024 for only one or two year certificates, but not 3). The legacy systems in question are running Sun ONE Webserver 6.1. Upgrading would be time consuming and we would rather not have to do that right now. We will be phasing these out but it will take awhile, so...

Got it!!

http://middlewarekb.wordpress.com/2010/06/30/how-to-generate-2048-bit-keypair-using-sun-one-or-iplanet-6-1-servers/

It is for the same version webserver I am using.

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -R -s "CN=sub.domain.ext,OU=org unit,O=company name,L=city,ST=spelled state,C=US,E=email" -a -k rsa -g 2048 -v 12 -d /opt/SUNWwbsvr/alias -P https-sub.domain.ext-hostname- -Z SHA1

Previous efforts edited out.

700 Software
  • 2,163
  • 9
  • 47
  • 77
  • I think you need `certutil`, check http://download.oracle.com/docs/cd/E19321-01/819-5536-12/6_SSL_SunONE.html and http://developers.sun.com/appserver/reference/techart/keymgmt.html – beans Feb 02 '11 at 21:00
  • Can't seem to get it to work, will edit in more details. @Ben – 700 Software Feb 07 '11 at 16:42
  • Is the keytool and certutil from the same version of java, as the webserver? – Steven Feb 07 '11 at 18:49
  • No. `/opt/SUNWwbsvr/bin/https/jdk/bin/java -version` gives back java version "1.4.2_04" but the startup log shows Java HotSpot(TM) Server VM, Version 1.4.2_13. - Based on server.xml the path to Java is `/usr/java_1_4_2_13-solaris-i586/j2sdk1.4.2_13`. I just tried using its keytool and I get the same error as the above keytool. @Steven – 700 Software Feb 07 '11 at 22:05

2 Answers2

0

I don't have any where I can test this, so its mostly thoughts on what I'd try...

First backup cert8.db and key.db somewhere. Then delete the originals and try making something new:

% certutil -S -x -n nickname -t "u,u,u" -v num_of_valid_months -s subjectDN -d /opt/SUNWwbsvr/alias/https-sub.domain.ext-hostname-cert8.db [-h tokenname]

I'm looking through the possibilities at: http://developers.sun.com/appserver/reference/techart/keymgmt.html

Does that work? Does the following then work?

certutil -L -d /opt/SUNWwbsvr/alias/https-sub.domain.ext-hostname-cert8.db

If so, what happens if you restart the web server? Does it like the new cert? If it likes the cert, you could then try creating a signing request instead with 2048bits.

Steven
  • 3,009
  • 18
  • 18
  • I have a test copy of the webserver now. The new copy is on a different host name so the key3 and cert8 files were automatically generated. It may interest you to know the automatically generated files were the same length (down to the byte) as the production files which (we think) contain the real certificate. They are generated when the server is started. The server currently fails to start because it is missing "Server-Cert" and it only has the preset root CA certificates. Please see my edit to see my progress on delete and recreate – 700 Software Feb 07 '11 at 21:57
  • Got it! See my solution up above. I know that you did not do a lot in this question,, but I have to do something with the 150 rep bounty. Thank you for your effort. It seems the above commands might have worked if we used -d for the directory and a -p with the prefix of the file name from character zero up to just before cert8. – 700 Software Feb 08 '11 at 19:25
0

I used the command described on this page.

It is for the same version webserver I am using.

/opt/SUNWwbsvr/bin/https/admin/bin/certutil -R -s \
   "CN=sub.domain.ext,OU=org unit,O=company name,L=city,ST=spelled state,C=US,E=email" \
   -a -k rsa -g 2048 -v 12 -d /opt/SUNWwbsvr/alias -P https-sub.domain.ext-hostname- -Z SHA1
700 Software
  • 2,163
  • 9
  • 47
  • 77