Creating a CSR in the modern era
I've only done this once or twice before, but I'm about to generate a certificate signing request (CSR) so I can install an SSL cert on my domain. I know there are plenty of tutorials out there for this, but a lot of the ones I've seen are quite old, like this one at verisign.com that is from 2007:
https://knowledge.verisign.com/suppo...SLINK&id=AR198 I'm wondering a couple of things in particular: * is des3 the current best practice? * is 2048 bits enough? * what's the best way to handle the passphrase issue: create key pair without passphrase? or remove the passphrase later (I forget how this is done). Obviously, I would like to follow security best practices. |
For better security it's best to use des3 but the common practices are to use RSA keys
Yes, 2048 bit keys are what is used most of the times It does not matter when you remove the passphrase. If you leave the key then you will be asked to enter whenever you want to use it. java socket |
Thanks for your response.
I was wondering if having a passphrase in my key would cause problems for the Certificate Authority when they receive my CSR -- i.e., would *they* be prompted for the passphrase. Or, alternatively, would the cert that they issue require a passphrase if I am to use it with Apache? I noticed that when I create a CSR that I am prompted for the passphrase so my guess is that it will not. I'm now wondering is it safe to email a certificate signing request to someone? What risk, if any, is introduced if someone obtains a copy of my CSR? |
Just to be clear, DES3 (in the example you cited) is used to encrypt the private key itself. If you do so, you'll always need to provide a key (passphrase) when accessing it. Even when you reboot your server. Not practical.
Yes, it's safe to email a CSR, and assume it will be intercepted. It is not safe to email your private key, transfer it clear text in any fashion, or store it unencrypted in a questionable location. |
Quote:
But private key must be keeped securily. generics array |
Thanks for the response.
What about DES3? I understand from searching around that DES has been superceded by AES and that DES3 is more or less a band-aid on DES. If I were to prefer AES, I see that openssl has numerous options: Code:
Cipher commands (see the `enc' command for more details) |
You might want to look at startssl.com. If you own the domain, you can get a free SSL cert that the browser will actually recognize without issuing warnings.
|
Quote:
Anyway, as symmetric ciphers go, AES is generally to be preferred. But this is something of a moot point if you're not going to be encrypting your private key. If you do want to encrypt your private key for the purpose of backups (for instance), then you can use gpg(1)* or openssl's enc(1) with AES. Read this blog entry if you're so inclined. ------- * Before anyone asks, yes - gpg(1) does support symmetric encryption. :) |
All times are GMT -5. The time now is 08:12 PM. |