Tuesday, March 30, 2010

Creating a 2048 bit certificate request from VisualSVN Server

A few days ago we decided not to use self signed certificates with our Subversion Servers anymore and decided to buy a certificate approved by a certificate authority.

I went to VisualSVN Manager, made a certificate request, pasted it into the certificate request form on the website of one of certificate authorities and submitted the form. I was surprised when I saw an error message saying that certificate request has to be generated with a private key with at least 2048 bit encryption. I went back to VisualSVN Manager to find the step where I can specify the type of the key I want to use but I was not able to find such setting in the certificate request wizard.

It took me a few minutes to find a few posts on the net and to combine them into a working solution so I thought it would be nice to share those findings with others.

Here are the steps you need to take in order to generate a 2048 bit certificate request using VisualSVN Manager:
  1. You first need to create a new private key for VisualSVN Manager to use it when creating a request. To do that you should follow the next steps:
    1. Open command prompt
    2. Type the following command:
      openssl.exe genrsa 2048 > private.key
    3. After that you will be able to find a new file called "private.key" in your working folder. Edit the file in a text editor and leave it for now.
    4. Check if your new private key has the right length by executing next command in command prompt:
      openssl.exe rsa -noout -text -in private.key
    5. Check the output of command executed under 1.d. and see if you can find next text in it: "Private-Key: (2048 bit)"

  2. Now you need to update "server.pem" file for your VisualSVN Server. To do that follow the next steps:
    1. Open Windows Explorer and navigate to root folder of your VisualSVN Server installation (it was in "C:\Program Files\VisualSVN Server\" on my server)
    2. Find "server.pem" file (it was in "conf" folder on my server)
    3. Edit "server.pem" file with a text editor
    4. Replace everything between "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----" with the content from "private.key" you generate in step 1.b. and save changes for "server.pem".

  3. You should now re-create the self signed certificate for your VisualSVN Server to be able to use Subversion until you acquire and setup a new signed certificate. To do that follow the next steps:
    1. Open VisualSVN Manager
    2. Select "Action" and then "Properties" in menu
    3. Go to "Certificate" tab and click no "Change certificate..." button
    4. Choose "Create new self-signed certificate" option and click "Next >" button
    5. Click on "Next" and "Finish" buttons until you finish with self-signed certificate creation.
    6. Check if the new self-signed certificate has the right key length by executing next command:
      openssl.exe x509 -noout -text -in server.pem
    7. NB: you will have to put the full path to "server.pem" to be able to see
      results; when you get the output of above command you should look for the
      following text: "RSA Public Key: (2048 bit)" - if it is there then you have
      a 2048 bit key

  4. The only thing you still need to do is to create a new 2048 bit certificate. To do that follow the next steps:
    1. Open VisualSVN Manager
    2. Select "Action" and then "Properties" in menu
    3. Go to "Certificate" tab and click no "Change certificate..." button
    4. Choose "Prepare certificate request" option and click "Next >" button
    5. Fill-in the name of your domain that will be used by Subversion for SSL communication
    6. Click Next and fill-in the other required information
After completing above mentioned steps I was able to request a signed 2048 bit certificate for our Subversion and to use for all existing and new repositories.

No comments: