openssl-vulnkey *.key
Hopefully by now most debian sysadmins have updated their systems and regenerated any weak openssl keys found. After the disclosure from last week, the debian team has done a great job to identify any possible affected program and any type of key, and for sure there are many ;-) . Special pages were created to help peoples migrate their keys and also to identify if their keys are weak or not. In my previous post I have discussed howto indentify and regenerate the ssh vulnerable keys, obviously the most targeted by attacks against this issue. This post will answer the questions I have received on email on how you can identify and regenerate apache PEM keys (SSL certificates).
The Ubuntu team has created a package which will verify if PEM files are vulnerable or not. The package is called “openssl-blacklist”, and was repackaged for Debian and built for etch: http://xillion.org/openssl-blacklist/. Download the package and install it with dpkg:
wget http://xillion.org/openssl-blacklist/openssl-blacklist_0.1-0~debian-1_all.deb
dpkg -i openssl-blacklist_0.1-0~debian-1_all.deb
Now that you have installed openssl-blacklist you will be able to test your keys/pem using openssl-vulnkey:
openssl-vulnkey <FILE>
For example if you have all your keys (with the extension key) inside /etc/apache2/ssl you could run:
cd /etc/apache2/ssl
openssl-vulnkey *.key
or if you have also pem keys:
openssl-vulnkey *.key *.pem
If you have found weak keys you will probably want to regenerate them. Hopefully your certificate authority will offer you a free reissue for your certificate/s and this bug will not cost you even more than it has already done by now ;-) (most companies will do this for free, like_ Thawte, VeriSign, Digicert, GeoTrust_, etc.). Check your certificate authority for specific details.
Normally for the certificate regeneration you will have to:_ create a new private key_, create a new CSR (Certificate Signing Request) that you will send to your CA, that will reissue and send you back the new certificate:
openssl genrsa -out domainname.key 1024
openssl req -new -key domainname.key -out domainname.csr
cat domainname.csr -> and send this to your CA
Good luck, and hopefully this post has answered the question I got on emails, on how to identify and reissue apache ssl keys (sorry for the late replies, as it has been a crazy week).