Can the certificate signature algorithm be changed with management tools (conga, etc.) of Red Hat Enterprise Linux 6 (High Availability)?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6.2+
  • luci
  • ricci

Issue

  • Can the certificate signature algorithm be changed with management tools (conga or luci/ricci, ccs_sync, ccs) of Red Hat Enterprise Linux 6 (High Availability)?
  • SSL Certificate signed using weak hashing algorithm with luci and ricci on RHEL 6

  • While scanning cluster nodes with Nessus networking security tool, the tool reports the following alert:

    SSL Certificate signed using weak hashing algorithm

  • The web browser firefox reports the following when accessing the website created by luci for managing clusters:

    This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1` in the internal logging console when connecting to `luci`

Resolution

If the hashing algorithm is not suitable for the environment that the cluster is running, then a custom certificate can be used instead of the certificates that are generated by luci and ricci.

Root Cause

Self-signed certificates for luci and ricci are created by respective init scripts on first run if they do not exist yet (the latter takes care of ccs_sync as well). Similarly, ccs generates its certificate on-the-fly if it misses it.

The default locations for these certificates (public parts, for that matter) are as follows:

  • luci: /var/lib/luci/certs/host.pem (public+private)
    • This certificate is used implicitly for both public (HTTPS) and private communication as detailed in article about custom certificates.
    • Both contexts of certificate use can have independent certificates from configured locations so you should refer to these if that is the case.
  • ricci: /var/lib/ricci/certs/cacert.pem (public)
  • ccs: ~/.ccs/cacert.pem (public)
  • ccs_sync: Binary certificate storage, but inherits certificate pair from local ricci deployment.

These certificates may not be suitable for the particular environment the cluster is part of.

Diagnostic Steps

The following command provides a diagnostics of the signature algorithm that the particular certificate is using.

# openssl x509 -in <path to the certificate> -noout -text | grep Signature
    Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

By default, provided example output is identical to any of the above mentioned certificate locations substituted for <path to the certificate>.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.