With the imminent removal of sha1 from most browsers, and sha1 being moslty broken, I’ve finally created a new root CA and re-generated all my certificates.

All the commands I followed where from another blog post. OpenSSL commands can be a bit esoteric, but in the end it’s all quite simple when you understand the ins and outs of why you’re creating a root key, a CSR, and so on.

Now the funnier thing is dealing with updates among my users. Debian has its own trust store, Firefox has its own trust store that’s independant, apparently Thunderbird has its own trust store that’s yet different to Firefox’s, and for some reason my mum’s Thunderbird decided to choke on accepting the new certificate until it was killed and restarted (and then it worked for no good reason).

While Firefox and Thunderbird’s trust stores are best accessed through the GUI, Debian’s is easily updatable by adding certificates to /usr/local/share/ca-certificates and then running update-ca-certificates. This lets e.g. cadaver connect to your owncloud.

While I was at it, I also created a certificate for this Web site as my sslh setup now let’s me, thanks to the SNI probe. So you can now read my blog in the knowledge that no-one is changing its contents. Except for anyone that’s got access to one of the hundreds of roots in your trust store, that is. And my hosting provider who could access the private key. Don’t worry, it’s all secure.

[EDIT: Google is now announcing they can break SHA-1. The attack remains impractical in general, but could be a problem for long-lived signed data (notarised documents, signed software updates for industries where they remain rare, …]