Free SSL cert reissuance for Debian victims — unless you’re on RapidSSL

If you’ve been following the Debian OpenSSL pRNG security debacle, you may have noticed that there’s a painful problem for people who’ve used a Debian or Ubuntu system in the process of buying a commercial SSL key — they are in a situation where those commercially-purchased keys need to be regenerated.

(When an SSL key is obtained from a commercial Certificate Authority, you first have to generate a Certificate Signing Request on your own machine, then send that to the CA, who extracts its contents and applies a signature to produce a valid CA-issued certificate.)

Things are looking up for these victims, though — some smart cookie at Debian came up with these instructions:

SSL Certificate Reissuance

If you paid good money to have a vulnerable key signed by a Certificate Authority (CA), chances are your CA can re-issue a certificate for free, provided all information in the CSR is identical to the original CSR. Create a new key with a non-vulnerable OpenSSL installation, re-create the CSR with the same information as your original (vulnerable) key’s CSR, and submit it to your CA according to their reissuance policy:

  • GeoTrust: Here (Available throughout the lifetime of the certificate. Tucows/OpenSRS in this case, but the instructions are generic to any GeoTrust client.)
  • Thawte: Here (Available throughout the lifetime of the certificate.)
  • VeriSign: Unknown
  • GoDaddy: Here (Only possible within 30 days of the initial order. GoDaddy calls the process “re-keying”, while they call the act of sending you the same signed certificate as your original order a “reissuance”.)
  • ipsCA: Generate a new CSR as if you are purchasing a new certificate, follow through the procedure up until you get to the point where you are required to pay with your credit card. At that point contact support via their email and let them know that you are requesting a revocation and re-issue and include the ticket number of your new CSR request.
  • CAcert: This is a cost free certification authority. Simply revoke your old certificates and add new ones. (The key has to be created on a fixed machine and ONLY the certification request has to be uploaded!) At the moment the certificate generation will take some time as it seems that many users are re issue there certificate.
  • Digicert: Login to Your account to re-issue (free).

This is slightly incorrect, however (unfortunately for me). While GeoTrust claim to offer free reissuance of all its SSL certificates, they don’t really. Their low-cost RapidSSL certs require that you buy ‘reissue insurance’ for $20 to avail of this, if you need to reissue more than 7 days after the initial purchase. :( Wiki updated.

Update: RapidSSL certs are, indeed, now free to reissue! Use this URL and click through on the “buy” link for reissuance insurance — the price quoted will be $0. Wiki re-updated ;). (thanks to ServerTastic for the tip.)

This entry was posted in Uncategorized and tagged , , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

7 Comments

  1. Posted May 17, 2008 at 19:36 | Permalink

    Hi,

    Just to point out that RapidSSL is now providing free re-issues to all those customers affected.

    To get the re-issue simply go to the URL below

    https://products.geotrust.com/geocenter/reissuance/reissue.do

  2. Posted May 19, 2008 at 11:10 | Permalink

    hi —

    nope, that doesn’t work. They say they do, but when I visit that page and fill out the details of one of my RapidSSL certs, I just get this page.

    Note the “buy” link for “reissuance insurance” :(

  3. Posted May 19, 2008 at 11:14 | Permalink

    Click the Buy link. You will see the next page it says Cost: $0.00

    I admit it doesn’t look pretty since it is a mash-up from the existing system where users would have to purchase.

  4. Posted May 19, 2008 at 11:16 | Permalink

    uh, stop the presses. If I then click through to “buy”, the price quoted is $0. Should have thought of that earlier ;)

  5. Posted May 19, 2008 at 11:30 | Permalink

    jinx! ;)

    yep, looks like it’s working fine! I click through on the reissue request and am awaiting a receipt by mail. great.

    I’ve updated the Debian wiki page to note this, too…

  6. Posted May 28, 2008 at 11:45 | Permalink

    fwiw — that receipt never arrived. So it appears this process is broken :( (I’ve been meaning to chase that up, but haven’t had the time yet.)

  7. Posted May 28, 2008 at 11:55 | Permalink

    Might be worth trying again. Possibly being flagged as spam?

    We have had a lot of customers successfully re-issue their certificates in this way.