LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-09-2011, 04:42 PM   #1
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Rep: Reputation: 50
Creating a CSR in the modern era


I've only done this once or twice before, but I'm about to generate a certificate signing request (CSR) so I can install an SSL cert on my domain. I know there are plenty of tutorials out there for this, but a lot of the ones I've seen are quite old, like this one at verisign.com that is from 2007:
https://knowledge.verisign.com/suppo...SLINK&id=AR198

I'm wondering a couple of things in particular:
* is des3 the current best practice?
* is 2048 bits enough?
* what's the best way to handle the passphrase issue: create key pair without passphrase? or remove the passphrase later (I forget how this is done). Obviously, I would like to follow security best practices.
 
Old 08-10-2011, 07:32 AM   #2
timur91
Member
 
Registered: Aug 2011
Posts: 42

Rep: Reputation: Disabled
For better security it's best to use des3 but the common practices are to use RSA keys
Yes, 2048 bit keys are what is used most of the times
It does not matter when you remove the passphrase. If you leave the key then you will be asked to enter whenever you want to use it.

java socket

Last edited by timur91; 01-05-2012 at 06:26 AM.
 
1 members found this post helpful.
Old 08-10-2011, 03:10 PM   #3
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Thanks for your response.

I was wondering if having a passphrase in my key would cause problems for the Certificate Authority when they receive my CSR -- i.e., would *they* be prompted for the passphrase. Or, alternatively, would the cert that they issue require a passphrase if I am to use it with Apache?

I noticed that when I create a CSR that I am prompted for the passphrase so my guess is that it will not. I'm now wondering is it safe to email a certificate signing request to someone? What risk, if any, is introduced if someone obtains a copy of my CSR?
 
Old 08-10-2011, 03:22 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Just to be clear, DES3 (in the example you cited) is used to encrypt the private key itself. If you do so, you'll always need to provide a key (passphrase) when accessing it. Even when you reboot your server. Not practical.

Yes, it's safe to email a CSR, and assume it will be intercepted. It is not safe to email your private key, transfer it clear text in any fashion, or store it unencrypted in a questionable location.
 
1 members found this post helpful.
Old 08-11-2011, 08:50 AM   #5
salemeni
Member
 
Registered: Aug 2011
Posts: 64

Rep: Reputation: Disabled
Quote:
Originally Posted by sneakyimp View Post
Thanks for your response.

I was wondering if having a passphrase in my key would cause problems for the Certificate Authority when they receive my CSR -- i.e., would *they* be prompted for the passphrase. Or, alternatively, would the cert that they issue require a passphrase if I am to use it with Apache?

I noticed that when I create a CSR that I am prompted for the passphrase so my guess is that it will not. I'm now wondering is it safe to email a certificate signing request to someone? What risk, if any, is introduced if someone obtains a copy of my CSR?
The CSR contain a public information (public key + infos like CN, O ,OU,) it's safe to send it by mail
But private key must be keeped securily.

generics array

Last edited by salemeni; 12-06-2011 at 03:57 AM.
 
1 members found this post helpful.
Old 08-11-2011, 10:18 AM   #6
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Thanks for the response.

What about DES3? I understand from searching around that DES has been superceded by AES and that DES3 is more or less a band-aid on DES. If I were to prefer AES, I see that openssl has numerous options:
Code:
Cipher commands (see the `enc' command for more details)
aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc    
aes-256-ecb    base64         bf             bf-cbc         bf-cfb         
bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc      
cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc        
des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb    
des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb   
des-ofb        des3           desx           rc2            rc2-40-cbc     
rc2-64-cbc     rc2-cbc        rc2-cfb        rc2-ecb        rc2-ofb        
rc4            rc4-40
Which ones are stronger? Are any subject to US Export restrictions?
 
Old 08-11-2011, 01:03 PM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
You might want to look at startssl.com. If you own the domain, you can get a free SSL cert that the browser will actually recognize without issuing warnings.
 
Old 08-11-2011, 02:51 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by sneakyimp
What about DES3? I understand from searching around that DES has been superceded by AES and that DES3 is more or less a band-aid on DES. If I were to prefer AES, I see that openssl has numerous options...
Sure, but it's a big, powerful band-aid.

Anyway, as symmetric ciphers go, AES is generally to be preferred. But this is something of a moot point if you're not going to be encrypting your private key.

If you do want to encrypt your private key for the purpose of backups (for instance), then you can use gpg(1)* or openssl's enc(1) with AES. Read this blog entry if you're so inclined.

-------

* Before anyone asks, yes - gpg(1) does support symmetric encryption.

Last edited by anomie; 08-11-2011 at 02:52 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL. Have crt and csr, but no key. deathsfriend99 Linux - Server 2 08-20-2010 11:33 PM
create a csr for tomato watcher69b Linux - Networking 0 02-03-2009 09:01 PM
OpenVPN how disable CSR? Shwick Linux - Server 1 12-24-2008 01:30 PM
Generating a CSR shaggz Linux - General 1 01-31-2003 12:56 PM
Problem generating CSR chr15t0 Linux - Security 0 12-31-2002 04:28 PM


All times are GMT -5. The time now is 02:59 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration