Kevin Bauer The rants and ramblings of Kevin Bauer.


4096 vs 2048 bit for SSL.

One of the companies I own has a lot of clients who generally inquire if they need either 1024, or 2048 bit private keys when generating a keypair for SSL on their website. I've never recommended either, as 4096 private are far more secure with only a slight performance reduction.

The only downside is certain proprietary applications, and old browsers aren't setup to handle 4096 bit. I've rarely run into problems with compatability, but I believe it should be strongly deployed as to influence those developers to upgrade their cryptography backends.

Some How To's:

Generating a 4096 bit RSA key with OpenSSL.

Encrypted key file. (Make sure you note down your password as if you lose it, your key is USELESS!)

openssl genrsa -des3 -out my.key 4096

Non-encrypted key file.

openssl genrsa -out my.key 4096

Generating a CSR (Certificate Signing Request) for a CA (Certificate Authority).

If you wish to make a CSR to have your public key signed by a CA such as Verisign/Geotrust/Globalsign.

openssl req -new -key my.key -out my.csr

You should NEVER give out your private key to your CA or anyone! Store it in a safe place, with a backup. Some CA's will NOT reissue lost or compromised certificates.

Signing your own key.

openssl x509 -req -days 730 -in my.csr -signkey my.key -out my.crt

Signing your key will save you the few bucks a year a CA will charge you, but it will not be recognized by others unless they import your certificate. Self-signed SSL's are great for hobby-use, or running internal servers, but are useless for any real public use. There ARE free (albeit less trusted CA's) such as Startcom that will sign domain-based certificates for free.

Filed under: How To's Leave a comment
Comments (0) Trackbacks (0)

No comments yet.

Leave a comment

No trackbacks yet.