I think it was about 2 or 3 years ago when I last created a CSR for a website that actually needed to be signed. I'm about to do so again and I know that security developments are moving rapidly. Here's what I did then:
// create a key
openssl genrsa -des3 -out www.example.com.key 2048
// enter a passphrase!
// Generate a Certificate Signing Request (CSR)
openssl req -new -key www.example.com.key -out www.example.com.csr
// enter various bits of information about my business
I then pasted the resulting csr file into the certificate authority's (securely hosted) website form and paid them. I was later able to download my cert.
I'm guessing that 2048 bits is not enough these days (or is it?
, but that's is only a guess. I recall having problems trying to connect via ssh with a 4096-bit key in the past. I also want to be sure that I use a reputable cert authority and avoid problematic entities
in securing my site.
Can anyone help me understand best practices for August 2013? Security is very important to me. I'm also worried about going too far to the bleeding edge such that my cert/key are useless to browsers and clients currently in circulation.
Any help would be much appreciated.