[kwlug-disc] Stronger SSH keys and SSL certificates
jpoole at digitaljedi.ca
Sun Apr 20 13:47:21 EDT 2014
How paranoid do you want to be?
At least 4096 IMHO, Computers are faster/stronger/ these days, higher bits shouldn’t generate too much load decrypting.
if you want, generate a new cert everyday if you want.
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 180 -key ca.key -out ca.crt
On Apr 20, 2014, at 1:12 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> Needless to say that recent events and government actions warrants more paranoia ...
> So, to that effect, what options should one use to have the SSH keys stronger?
> How many bits? What options for ssh key gen should be used?
> And for SSL certificates, what options do you use to make the certificates as strong as they can be?
> For example, I use the following script for self signed certificates. How can this be improved?
> cd ~/cert
> # Generate a key
> openssl genpkey -algorithm rsa -out $KEY
> # Generate a certificate signing request
> openssl req -new -sha1 -nodes -key $KEY -out $REQ
> # Create a self signed certificate
> openssl x509 -req -days 365 -in $REQ -signkey $KEY -out $CRT
> # Copy it to the server
> cp $CRT /etc/ssl/certs
> cp $KEY /etc/ssl/private
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. -- Leonardo da Vinci
> For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the kwlug-disc