Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've only done this once or twice before, but I'm about to generate a certificate signing request (CSR) so I can install an SSL cert on my domain. I know there are plenty of tutorials out there for this, but a lot of the ones I've seen are quite old, like this one at verisign.com that is from 2007: https://knowledge.verisign.com/suppo...SLINK&id=AR198
I'm wondering a couple of things in particular:
* is des3 the current best practice?
* is 2048 bits enough?
* what's the best way to handle the passphrase issue: create key pair without passphrase? or remove the passphrase later (I forget how this is done). Obviously, I would like to follow security best practices.
For better security it's best to use des3 but the common practices are to use RSA keys
Yes, 2048 bit keys are what is used most of the times
It does not matter when you remove the passphrase. If you leave the key then you will be asked to enter whenever you want to use it.
I was wondering if having a passphrase in my key would cause problems for the Certificate Authority when they receive my CSR -- i.e., would *they* be prompted for the passphrase. Or, alternatively, would the cert that they issue require a passphrase if I am to use it with Apache?
I noticed that when I create a CSR that I am prompted for the passphrase so my guess is that it will not. I'm now wondering is it safe to email a certificate signing request to someone? What risk, if any, is introduced if someone obtains a copy of my CSR?
Just to be clear, DES3 (in the example you cited) is used to encrypt the private key itself. If you do so, you'll always need to provide a key (passphrase) when accessing it. Even when you reboot your server. Not practical.
Yes, it's safe to email a CSR, and assume it will be intercepted. It is not safe to email your private key, transfer it clear text in any fashion, or store it unencrypted in a questionable location.
I was wondering if having a passphrase in my key would cause problems for the Certificate Authority when they receive my CSR -- i.e., would *they* be prompted for the passphrase. Or, alternatively, would the cert that they issue require a passphrase if I am to use it with Apache?
I noticed that when I create a CSR that I am prompted for the passphrase so my guess is that it will not. I'm now wondering is it safe to email a certificate signing request to someone? What risk, if any, is introduced if someone obtains a copy of my CSR?
The CSR contain a public information (public key + infos like CN, O ,OU,) it's safe to send it by mail
But private key must be keeped securily.
What about DES3? I understand from searching around that DES has been superceded by AES and that DES3 is more or less a band-aid on DES. If I were to prefer AES, I see that openssl has numerous options:
You might want to look at startssl.com. If you own the domain, you can get a free SSL cert that the browser will actually recognize without issuing warnings.
What about DES3? I understand from searching around that DES has been superceded by AES and that DES3 is more or less a band-aid on DES. If I were to prefer AES, I see that openssl has numerous options...
Sure, but it's a big, powerful band-aid.
Anyway, as symmetric ciphers go, AES is generally to be preferred. But this is something of a moot point if you're not going to be encrypting your private key.
If you do want to encrypt your private key for the purpose of backups (for instance), then you can use gpg(1)* or openssl's enc(1) with AES. Read this blog entry if you're so inclined.
-------
* Before anyone asks, yes - gpg(1) does support symmetric encryption.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.