LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Creating a CSR for website HTTPS cert. What are best practices for aug 2013? (http://www.linuxquestions.org/questions/linux-security-4/creating-a-csr-for-website-https-cert-what-are-best-practices-for-aug-2013-a-4175473270/)

sneakyimp 08-13-2013 04:40 PM

Creating a CSR for website HTTPS cert. What are best practices for aug 2013?
 
I think it was about 2 or 3 years ago when I last created a CSR for a website that actually needed to be signed. I'm about to do so again and I know that security developments are moving rapidly. Here's what I did then:

Code:

// create a key
openssl genrsa -des3 -out www.example.com.key 2048
// enter a passphrase!
// Generate a Certificate Signing Request (CSR)
openssl req -new -key www.example.com.key -out www.example.com.csr
// enter various bits of information about my business

I then pasted the resulting csr file into the certificate authority's (securely hosted) website form and paid them. I was later able to download my cert.

I'm guessing that 2048 bits is not enough these days (or is it?, but that's is only a guess. I recall having problems trying to connect via ssh with a 4096-bit key in the past. I also want to be sure that I use a reputable cert authority and avoid problematic entities in securing my site.

Can anyone help me understand best practices for August 2013? Security is very important to me. I'm also worried about going too far to the bleeding edge such that my cert/key are useless to browsers and clients currently in circulation.

Any help would be much appreciated.

Kustom42 08-13-2013 07:12 PM

Well I could post you to security links that basically say that SSLs are a sham and no matter how much encryption you put on them they are still breakable. And this is true for every security system in the world.

In all honesty, 2048 bits is pretty standard for most businesses now and just make sure you get it from a good CA like verisign or godaddy(this is the only thing I will refer ppl to godaddy for).


http://it.slashdot.org/story/13/08/0...ls-ssl-secrets

Just an FYI, LQ uses 2048 bits for its SSL.


All times are GMT -5. The time now is 06:08 PM.