SSL CSR key size on WorkCentre 5775

Fabio · ‎02-08-2011

Its better to contact that xrox office afain s the analyst can in touch with software support to create a Fer for thien, so Xerox can maybe create a new firmware with this included,,,

Seems 14 feb there will be a new release , vs : 061.130.221.01300

Il see whats fixed at that time

Grtz

gtallan · ‎02-07-2011

So this is what I found... or rather our analyst contact at the local Xerox office. The mention in the release notes of:

FER: Add support for 2048 bit certificate key to PIV solution

actually has nothing to do with SSL on the web interface (Im don't recall what PIV solution does refer to though). So, the copier still won't generate a key >1024 bits.

I wonder if there is any way to get this filed as a bug report? It seems it will become more of a problem as time goes on. This is what we got from our CA provider:

         From Dec 20th 2010 onwards, Comodo and InCommon will no longer
        issue certificates of less than 2048 bit key length and will not
        accept Certificate Signing Requests (CSRs) generated with keys
        of less than 2048 bit.

        This is in line with the NIST guidelines

http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf

        as well as the policies of Mozilla
        [https://wiki.mozilla.org/CA:MD5and1024 ], Microsoft
        [http://technet.microsoft.com/en-us/library/cc751157.aspx ] and
        other browser and platform vendors.

        Partners and customers of InCommon can continue to use existing
        1024 bit certificates on their websites after this date but, at
        renewal time, they must generate CSRs using 2048 bit keys.

gtallan · ‎01-25-2011

Hm, well, installed 06113022035400, and I'm still getting a 1024-bit key generated...

But I can contact our local Xerox office. Will post back if I get a solution!

Fabio · ‎01-22-2011

no , they are not public.... but since release 15200 , i see in the release note :

FER: Add support for 2048 bit certificate key to PIV solution

So download the latest one i said before , and you have also that one :)

gtallan · ‎01-21-2011

Talked to an analyst in our local office who confirmed we are running the initial release firmware from last April, there have been maybe 7 or so updates since then and 2048-bit ssl key support was added in one of these. Now arranging a service call to get the firmware updated.

I'm curious if release notes are available anywhere public, to see what the changes are?

Thanks again.

gtallan · ‎01-21-2011

Thanks, I really should have specified our firmware version with the question, it's 061.130.000.04205. I'll ask around about the update.

Fabio · ‎01-21-2011

hello,

you can always try the latest firmware , contact xerox to obtain 061.130.220.35400

I see some extra features regarding security in the release notes...

Pls gives us feedback

gtallan · ‎01-20-2011

Trying to install a real SSL key on our new 5775 rather than the self-signed one. I find my CA won't by default accept the generated CSR for processing because of the 1024-bit keysize. It seems there's a policy move from browser manufacturers, and followed by the CAs, to require 2048-bit or larger keys.

Is there a way to either...

1) get the 5775 to generate the CSR with a larger key?, or

2) to upload into the copier a CSR and key I generate myself with openssl?

I'm sure I can get the CA to process the 1024-bit key but would rather not do this for each machine, and it seems like this is something which might have to be fixed in the long term anyway...

thanks,

Graham

Re: SSL CSR key size on WorkCentre 5775

Re: SSL CSR key size on WorkCentre 5775

Re: SSL CSR key size on WorkCentre 5775

Re: SSL CSR key size on WorkCentre 5775

Re: SSL CSR key size on WorkCentre 5775

Re: SSL CSR key size on WorkCentre 5775

Re: SSL CSR key size on WorkCentre 5775

SSL CSR key size on WorkCentre 5775