Article ID: 117448, created on Sep 23, 2013, last review on Oct 30, 2014

  • Applies to:
  • Business Automation 5.5
  • Business Automation 5.4
  • Business Automation 5.1
  • Business Automation 5.0

Symptoms

Order on SSL certificate through the Enom plug-in fails in PBA with the following error message from Enom:

Your CSR contains a key size that is no longer considered secure. Security best practices require a minimum key size of 2048 bits. Please submit a new CSR with a minimum 2048 bit key size.

In the CERTENOM.log on the PBA Management Node the following entries may be found in the XML responce from Enom:

<Err1>An error occurred: [CODE: -2019] [MESSAGE: Your CSR contains a key size that is no longer considered secure. Security best practices require a minimum key size of 2048 bits. Please submit a new CSR with a minimum 2048 bit key size.]</Err1>
<Err2>Cannot parse CSR. It may be invalid.</Err2>

Cause

Enom does not accept Certificate Signing Request (CSR) with 1024 bit key as not enough secure, only 2048 or more bit keys are considered as secure enough.

When ordering SSL certificate in the PBA Online Store or in the Customer Control Panel a customer has 2 options to create CSR:

  • A customer may enter their own CSR
  • PBA may generate CSR for a customer

The reason of the problem depends on the PBA version and the way a customer choose to provide CSR (generated by PBA or enter their own CSR):

  1. PBA < 5.1 allows to automatically generate CSR with 1024 bit key in the Online Store and in the Customer Control Panel and use it to order SSL certificate. Such CSR will be denied by Enom.

  2. Since PBA 5.1 only 2048 or more bits key may be used when generating CSR in the PBA Online Store and Customer Control Panel. Such CSR will be accepted by Enom.

  3. In PBA 5.0, 5.1 and 5.4 the Online Store and Customer Control may accept any CSR generated by a customer including one generated with 1024 bit key. In this case a customer may enter not enough secure CSR and such request will be denied by Enom.

  4. There is one more place in Parallels Automation where CSR may be generated with not enough secure key - POA part of the Customer Control Panel allows to generate CSR with 512 and 1024 bits at the following path: Account > Account Settings > More Tools > SSL Certificates. Such CSR may be used by customer in PBA Control Panel or in the Online Store to order SSL certificate.

Resolution

  1. PBA < 5.1

    • Modify the /usr/local/bm/conf/wnd/BM/types.uil file on the PBA Management Node - remove the following line:

      CERT_BITS_1024 = "1024" "1024";

    • Restart PBA using the following commands on the PBA Management Node:

      • PBA for Linux:

        # service pba restart
        
      • PBA for Windows

        net stop ssm
        net start pba
        

    After that no 1024 bits option will not be available in the PBA Online Store and Control Panel when generating CSR.

  2. PBA >= 5.1 - no fix is required since PBA Control Panel and Online Store do not offer to generate CSR with 1024 bit key.

  3. The problem with Online Store accepting any kind of CSR including one generated with 1024 bit key is resolved in PBA 5.5.1, upgrade your installation to this or later version.

  4. The problem with POA allowing to generate CSR with 512/1024 bits key is going to be resolved in POA 5.5.2.

Search Words

1024 bits

Cannot parse CSR.

It may be invalid.

CSR

Your CSR contains a key size that is no longer considered secure

SSL certificate Certificate Sugning Request

dc47a2d05ec4d64fb099e4dab79ce579 caea8340e2d186a540518d08602aa065 198398b282069eaf2d94a6af87dcb3ff 92711db0799e8aefe8e51f12dace0496 801221f8cd76fba7300d1e6817c8e08b d863a37023d0fbc15b909ef836e29214 210d017ddc3a076d22f0f865b1cf0730 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF