4096 vs 2048 bit for SSL.
One of the companies I own has a lot of clients who generally inquire if they need either 1024, or 2048 bit private keys when generating a keypair for SSL on their website. I've never recommended either, as 4096 private are far more secure with only a slight performance reduction.
The only downside is certain proprietary applications, and old browsers aren't setup to handle 4096 bit. I've rarely run into problems with compatability, but I believe it should be strongly deployed as to influence those developers to upgrade their cryptography backends.
Some How To's:
Generating a 4096 bit RSA key with OpenSSL.
Encrypted key file. (Make sure you note down your password as if you lose it, your key is USELESS!)
openssl genrsa -des3 -out my.key 4096
Non-encrypted key file.
openssl genrsa -out my.key 4096
Generating a CSR (Certificate Signing Request) for a CA (Certificate Authority).
If you wish to make a CSR to have your public key signed by a CA such as Verisign/Geotrust/Globalsign.
openssl req -new -key my.key -out my.csr
You should NEVER give out your private key to your CA or anyone! Store it in a safe place, with a backup. Some CA's will NOT reissue lost or compromised certificates.
Signing your own key.
openssl x509 -req -days 730 -in my.csr -signkey my.key -out my.crt
Signing your key will save you the few bucks a year a CA will charge you, but it will not be recognized by others unless they import your certificate. Self-signed SSL's are great for hobby-use, or running internal servers, but are useless for any real public use. There ARE free (albeit less trusted CA's) such as Startcom that will sign domain-based certificates for free.
Leave a comment