Bob
05-21-2008, 01:33 PM
FutureQuest has been notified of a possible Security issue regarding SSL Certificates that were created from Key Pairs that were generated on a Debian (or related OS (http://www.cafelinux.org/distropedia/?q=node/47)) Linux Operating System.
For customers who used a Debian OS (or its derivatives) to generate a key pair used
to request a certificate, that key pair (and the corresponding certificate) is vulnerable.
This is due to a flaw in the Debian-specific random number generation that results in
relatively predictable key pair values, making them highly exploitable.
If you are running Debian operating systems and derivatives (such as Ubuntu)
released between September 17, 2006 and May 12, 2008 you should deploy a
recently replaced Debian patch and revoke and replace all SSL and Code Signing
certificates for which the keys were created on these operating systems.
If your Key was generated on one of the FutureQuest servers then there would be no impact for you however if you created your Key pair externally (or contracted the key generation) you will need to ascertain the Operating System used for that Key generation to determine if you may be impacted.
More regarding this may be viewed here:
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AD94
https://knowledge.verisign.com/support/ssl-certificates-support/index.html
http://www.rapidssl.com/ssl-certificate-support/ssl-support.htm
If you currently have a private SSL Certificate installed on your account and you find it is impacted by the above security issue once you have received the new Certificate contact us at the Service Desk, Service@FutureQuest.net , to have the updated certificate installed. There is no charge for installing updated SSL certificates.
http://Service.FutureQuest.net/kb550
-Bob
For customers who used a Debian OS (or its derivatives) to generate a key pair used
to request a certificate, that key pair (and the corresponding certificate) is vulnerable.
This is due to a flaw in the Debian-specific random number generation that results in
relatively predictable key pair values, making them highly exploitable.
If you are running Debian operating systems and derivatives (such as Ubuntu)
released between September 17, 2006 and May 12, 2008 you should deploy a
recently replaced Debian patch and revoke and replace all SSL and Code Signing
certificates for which the keys were created on these operating systems.
If your Key was generated on one of the FutureQuest servers then there would be no impact for you however if you created your Key pair externally (or contracted the key generation) you will need to ascertain the Operating System used for that Key generation to determine if you may be impacted.
More regarding this may be viewed here:
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AD94
https://knowledge.verisign.com/support/ssl-certificates-support/index.html
http://www.rapidssl.com/ssl-certificate-support/ssl-support.htm
If you currently have a private SSL Certificate installed on your account and you find it is impacted by the above security issue once you have received the new Certificate contact us at the Service Desk, Service@FutureQuest.net , to have the updated certificate installed. There is no charge for installing updated SSL certificates.
http://Service.FutureQuest.net/kb550
-Bob