creating a secure certificate

dominant · 01-27-2005, 07:53 AM

Hello guys

I want to create a certificate for an Apache with SSL enabled.

I know that this can be done using the openssl program but i don't know what excactly options or switches should i use to create it.

Could you help me a little ?

Hangdog42 · 01-27-2005, 09:45 AM

At the bottom of this tutorial are links to a good FAQ about making your own certificates.

[GOD]Anck · 01-28-2005, 03:53 AM

Do keep in mind that the commands from the bottom of that FAQ will result in a self-signed certificate. This is probably what you want initially as it allows you to test SSL functionality, but it is not 100% secure since you issued it to yourself, effectively. For a production environment you'd want to get a certificate from a certificate authority such as Thawte or VeriSign.

dominant · 01-28-2005, 04:58 AM

What i have to win if i pay for a certificate?
Longer private key (difficult to crack it?) ?

Hangdog42 · 01-28-2005, 07:32 AM

I don't think the certificate is any different from one you can make yourself. What you are really paying for is a third party endorsement that you are who you say you are.

[GOD]Anck · 01-28-2005, 07:37 AM

The difference would be in how much people trust your site rather than in how hard it is to crack. With self-signed certificates, basically what you are doing is saying "hey look at me, i'm trustworthy!" and since pretty much anyone can do this it doesn't pack as much of a punch as when your certificate is signed by a global certificate authority. Wether it's worth the money depends on how important the customer's trust is, obviously.

dominant · 01-28-2005, 09:32 AM

I see.

Could i make a public key of 2048 bits ? (i supposed that it could be cracked much harder, couln't it)

[GOD]Anck · 01-28-2005, 09:44 AM

Yes, you could specify the number of bits along with the algorithm to use. So if you're following the FAQ, replace "rsa" with "rsa:2048", that should do it. How much more secure that really is compared to the already pretty secure 1024 bit default I couldn't tell you.