LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-13-2013, 03:40 PM   #1
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Rep: Reputation: 50
Creating a CSR for website HTTPS cert. What are best practices for aug 2013?


I think it was about 2 or 3 years ago when I last created a CSR for a website that actually needed to be signed. I'm about to do so again and I know that security developments are moving rapidly. Here's what I did then:

Code:
// create a key
openssl genrsa -des3 -out www.example.com.key 2048
// enter a passphrase!
// Generate a Certificate Signing Request (CSR)
openssl req -new -key www.example.com.key -out www.example.com.csr
// enter various bits of information about my business
I then pasted the resulting csr file into the certificate authority's (securely hosted) website form and paid them. I was later able to download my cert.

I'm guessing that 2048 bits is not enough these days (or is it?, but that's is only a guess. I recall having problems trying to connect via ssh with a 4096-bit key in the past. I also want to be sure that I use a reputable cert authority and avoid problematic entities in securing my site.

Can anyone help me understand best practices for August 2013? Security is very important to me. I'm also worried about going too far to the bleeding edge such that my cert/key are useless to browsers and clients currently in circulation.

Any help would be much appreciated.
 
Old 08-13-2013, 06:12 PM   #2
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,568

Rep: Reputation: 411Reputation: 411Reputation: 411Reputation: 411Reputation: 411
Well I could post you to security links that basically say that SSLs are a sham and no matter how much encryption you put on them they are still breakable. And this is true for every security system in the world.

In all honesty, 2048 bits is pretty standard for most businesses now and just make sure you get it from a good CA like verisign or godaddy(this is the only thing I will refer ppl to godaddy for).


http://it.slashdot.org/story/13/08/0...ls-ssl-secrets

Just an FYI, LQ uses 2048 bits for its SSL.

Last edited by unSpawn; 08-13-2013 at 07:14 PM. Reason: //merged
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
US-CERT Alert (TA13-088A) DNS Amplification Attacks (Revised 22 July 2013) tronayne Linux - Security 4 09-20-2013 05:11 AM
Creating a CSR in the modern era sneakyimp Linux - Server 7 08-11-2011 01:51 PM
Creating SSL cert's using openssl rbala14 Linux - Server 1 07-14-2010 07:26 AM
Advice: Best practices for multiple small website hosting. checkmate3001 Linux - Server 2 08-17-2009 03:24 AM
Best practices for creating a crontab-only account? mattengland Linux - Security 2 12-20-2005 09:15 PM


All times are GMT -5. The time now is 03:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration