[kwlug-disc] Stronger SSH keys and SSL certificates

Jonathan Poole jpoole at digitaljedi.ca
Sun Apr 20 13:47:21 EDT 2014


How paranoid do you want to be?

At least 4096 IMHO, Computers are faster/stronger/ these days, higher bits shouldn’t generate too much load decrypting. 

if you want, generate a new cert everyday if you want.

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 180 -key ca.key -out ca.crt

On Apr 20, 2014, at 1:12 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:

> Needless to say that recent events and government actions warrants more paranoia ...
> 
> So, to that effect, what options should one use to have the SSH keys stronger?
> How many bits? What options for ssh key gen should be used?
> 
> And for SSL certificates, what options do you use to make the certificates as strong as they can be?
> For example, I use the following script for self signed certificates. How can this be improved?
> 
> #!/bin/sh
> 
> KEY=server.key
> REQ=server.csr
> CRT=server.crt
> 
> cd ~/cert
> # Generate a key
> openssl genpkey -algorithm rsa -out $KEY
> # Generate a certificate signing request
> openssl req -new -sha1 -nodes -key $KEY -out $REQ
> # Create a self signed certificate
> openssl x509 -req -days 365 -in $REQ -signkey $KEY -out $CRT
> # Copy it to the server
> cp $CRT /etc/ssl/certs
> cp $KEY /etc/ssl/private
> 
> 
> -- 
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140420/3a2fcb59/attachment.html>


More information about the kwlug-disc mailing list