Server WHM
Generating ECC CSR Certificate on Apache on Linux CentOS – PCI standards
June 9, 2021
0
, , , , ,
WHM- SSL/TLS Configuration

Recently My One of the Product PayPal IPN was not working.

I thought my code had some problems but after changing whole codes, it was not working. Then I discovered using Paypal IPN Simulator (https://developer.paypal.com/developer/ipnsimulator/) that IPN was not handshaking with my domain as my domain was using very basic SSL.

So, I found that there are 4 types of SSL:

1. ECDSA, P-256 (prime256v1)
ECDSA allows websites to support Internet Explorer 11 and retain compliance with PCI standards. ECDSA is recommended for systems running LSWS.

CurrentECDSA allows websites to support Internet Explorer 11 and retain compliance with PCI standards. secp384r1 is more secure than prime256v1, but may perform slower. ECDSA is recommended for systems running LSWS.

RSA is more compatible with older clients (for example, browsers older than Internet Explorer 11) than ECDSA. New installations of cPanel & WHM ship with this setting.

RSA is more compatible with older clients (for example, browsers older than Internet Explorer 11) than ECDSA. This is more secure than RSA, 2,048-bit, but will perform slower than RSA, 2,048-bit keys.

———–
I use always RSA 2048-bit but for my domain that will process Credit Card, I decided to buy EssentialSSL from Namecheap that will use Hashing algorithm SHA-2ECDSA, P-256 (prime256v1)  SSL that retain compliance with PCI standards.

I have generated CSR file using the below commands:
1. First  generate  Private Key file from command line in Linux CentOS:
# openssl ecparam -out zserver.key -name prime256v1 -genkey

2. Then  generate  CSR  file from command line in Linux CentOS:
# openssl req -new -key zserver.key -out zserver.csr

After I have my CSR file generated & provided it to Namecheap SSL purchase area, I have got the Certificate File with Bundle & I have installed it. I am happy that My Domain SSL is PCI standard & protects certificate forgery.

 

P.S. To make RSA-2048 Bit SSL:

—————————————

1. First  generate  Private Key file from command line in Linux CentOS:
# openssl genrsa -out server.key 2048
2. Then  generate  CSR  file from command line in Linux CentOS:
# openssl req -new -key server.key -out server.csr
—————————————
P.S.S: – Make Sure Your Server Support TLS-1.2 or Higher, to check it use the below PHP code:
———————————————————————————————————————
<?php 

$ch = curl_init(‘https://www.howsmyssl.com/a/check’);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);
$json = json_decode($data);
echo  “Server Current Version of TLS: “.$json->tls_version;

———————————————————————————————————————

Reference:
https://sectigo.com/resource-library/how-to-generate-certificate-signing-request-on-apache-ecc
https://www.paypal.com/re/smarthelp/article/migration-to-digicert-root-certificates-ts2240
https://www.paypal.com/re/smarthelp/article/where-can-i-find-paypal-ssl-server-certificates-ts1510
https://docs.cpanel.net/knowledge-base/security/ssl-tls-key-types/#ecdsa

About author

ZERIN

CEO & Founder (BdBooking.com - Online Hotel Booking System), CEO & Founder (TaskGum.com - Task Managment Software), CEO & Founder (InnKeyPro.com - Hotel ERP), Software Engineer & Solution Architect

How to Run PHP Specific Version for a PHP Script in MacOSX?

Suppose you have a php CLI Script that runs only o...

Read more

WHM:: PHP Mail is Not Working-Showing Its Disable

When your mail does not work, one example could be...

Read more

DKIM Set for my subdomain

I faced so much trouble while setting DKIM for one...

Read more

There are 0 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Skype: a.r.zerin
Twitter: arzerin
Facebook: https://www.facebook.com/arifur.zerin
LinkedIn: https://bd.linkedin.com/in/zerin

Copyright 2004 - 2020 - A.R. ZERIN  | All Rights Reserved |