Reissue certificate with SHA-2 - if Webnames does not go to Mahomet ...

As announced on September 5, 2014 , the developers of the Chromium browser are no longer very pleased with the SHA-1 hashing algorithm. The very appearance of the browser’s address bar will make it clear to visitors of https sites that are “closed” by such certificates, that there’s something “wrong” with the site. The appearance of the string will change over time, giving time for a more or less smooth transition, and at the end certificates with SHA-1 will no longer be considered at all safe:



As a result, all Chromium-based browsers (including Google Chrome) will no longer support SHA-1. This initiative was supported by Google Mozilla and Microsoft. Chrome should begin to show “special relationship to SHA-1” from version 39, which we are waiting for at the end of November 2014.

In our company, in the service web interfaces, we used a wildcard certificate issued just using SHA-1. It was bought from WebNames.ru (they are also Regreg LLC), so with the question of how to reissue the same certificate, but already with SHA-2, we turned to Regtime technical support.
')
The answer was brief:

Unfortunately, there is no such possibility. This is already ordering a new certificate.

“Wow,” we thought, “offensively somehow!” We thought and thought and remembered that Webnames did not create certificates on their own, but ordered them on the side, in our case from RapidSSL (they are GeoTrust). They wrote already in their technical support - and, lo and behold, all our problems were resolved quickly and painlessly.

So, this is what we learned: the certificate is reissued at no additional charge by reloading the CSR and selecting SHA-2 as the hashing algorithm in the web-based certificate order panel on the GeoTrust website. A paid or free (re-) issue of a certificate turns out to be determined only by the data in the CSR: if they coincide with the data of a certificate that has already been ordered by the customer, then no payment will be charged.

And now the trick: the data in the CSR, filed by Regtime for its clients, does not at all resemble any data of the client himself. Here are some of the fields that Ragtime uses and what you need to specify in order to re-issue the certificate with SHA-2 for free through GeoTrust:

Organization: Regtime Organizational unit: Regtime City/locality: Samara State/province: Samara Country: RU 

(not so bad with their modesty, isn’t it?)

So, create a new CSR with this data (the Common name field, of course, should contain the domain name for which we are reissuing the certificate):

 openssl req -new -newkey rsa:4096 -sha512 -nodes -keyout www-example-com.pem -out www-example-com.csr 

We load it in the " Self Service Reissuance " section of the GeoTrust website, and we get what we wanted - a new certificate.

As a conclusion, it’s not always worth believing the negative answers of technical support (especially as Webnames, from experience, generally quite often like to answer “no”), but it’s worth turning your head on and solving your problems directly. It will be quieter!

PS A few days after posting, a person from Regtime came to me (to my contact email address from account data in webnames), and assured that they had taken some measures on this matter. I won't say anything: what Habr is reading is probably not bad, that trying to solve problems somehow is also good, and that the problem was revealed not from contacting the TP (on the contrary, the TP just tried to explain to the client how much TP she had needs of the client), and after the intervention of the hands-on - here, I think, there is no reason for pride on the part of the company. Let's see, time to think about who to take the certificate for next year, there is still :)