Order on SSL certificate through the Enom plug-in fails in PBA with the following error message from Enom:
Your CSR contains a key size that is no longer considered secure. Security best practices require a minimum key size of 2048 bits. Please submit a new CSR with a minimum 2048 bit key size.
In the CERTENOM.log on the PBA Management Node the following entries may be found in the XML responce from Enom:
<Err1>An error occurred: [CODE: -2019] [MESSAGE: Your CSR contains a key size that is no longer considered secure. Security best practices require a minimum key size of 2048 bits. Please submit a new CSR with a minimum 2048 bit key size.]</Err1> <Err2>Cannot parse CSR. It may be invalid.</Err2>
Enom does not accept Certificate Signing Request (CSR) with 1024 bit key as not enough secure, only 2048 or more bit keys are considered as secure enough.
When ordering SSL certificate in the PBA Online Store or in the Customer Control Panel a customer has 2 options to create CSR:
- A customer may enter their own CSR
- PBA may generate CSR for a customer
The reason of the problem depends on the PBA version and the way a customer choose to provide CSR (generated by PBA or enter their own CSR):
PBA < 5.1 allows to automatically generate CSR with 1024 bit key in the Online Store and in the Customer Control Panel and use it to order SSL certificate. Such CSR will be denied by Enom.
Since PBA 5.1 only 2048 or more bits key may be used when generating CSR in the PBA Online Store and Customer Control Panel. Such CSR will be accepted by Enom.
In PBA 5.0, 5.1 and 5.4 the Online Store and Customer Control may accept any CSR generated by a customer including one generated with 1024 bit key. In this case a customer may enter not enough secure CSR and such request will be denied by Enom.
- There is one more place in Parallels Automation where CSR may be generated with not enough secure key - POA part of the Customer Control Panel allows to generate CSR with 512 and 1024 bits at the following path: Account > Account Settings > More Tools > SSL Certificates. Such CSR may be used by customer in PBA Control Panel or in the Online Store to order SSL certificate.
PBA < 5.1
Modify the /usr/local/bm/conf/wnd/BM/types.uil file on the PBA Management Node - remove the following line:
CERT_BITS_1024 = "1024" "1024";
Restart PBA using the following commands on the PBA Management Node:
PBA for Linux:
# service pba restart
PBA for Windows
net stop ssm net start pba
After that no 1024 bits option will not be available in the PBA Online Store and Control Panel when generating CSR.
PBA >= 5.1 - no fix is required since PBA Control Panel and Online Store do not offer to generate CSR with 1024 bit key.
The problem with Online Store accepting any kind of CSR including one generated with 1024 bit key is resolved in PBA 5.5.1, upgrade your installation to this or later version.
- The problem with POA allowing to generate CSR with 512/1024 bits key is going to be resolved in POA 5.5.2.