[kwlug-disc] Stronger SSH keys and SSL certificates

Jonathan Poole jpoole at digitaljedi.ca
Sun Apr 20 13:50:39 EDT 2014


Oh and of course, ensure you’re using an openssl version not affected, or patched.

On Apr 20, 2014, at 1:47 PM, Jonathan Poole <jpoole at digitaljedi.ca> wrote:

> How paranoid do you want to be?
> 
> At least 4096 IMHO, Computers are faster/stronger/ these days, higher bits shouldn’t generate too much load decrypting. 
> 
> if you want, generate a new cert everyday if you want.
> 
> openssl genrsa -out ca.key 4096
> openssl req -new -x509 -days 180 -key ca.key -out ca.crt
> 
> On Apr 20, 2014, at 1:12 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> 
>> Needless to say that recent events and government actions warrants more paranoia ...
>> 
>> So, to that effect, what options should one use to have the SSH keys stronger?
>> How many bits? What options for ssh key gen should be used?
>> 
>> And for SSL certificates, what options do you use to make the certificates as strong as they can be?
>> For example, I use the following script for self signed certificates. How can this be improved?
>> 
>> #!/bin/sh
>> 
>> KEY=server.key
>> REQ=server.csr
>> CRT=server.crt
>> 
>> cd ~/cert
>> # Generate a key
>> openssl genpkey -algorithm rsa -out $KEY
>> # Generate a certificate signing request
>> openssl req -new -sha1 -nodes -key $KEY -out $REQ
>> # Create a self signed certificate
>> openssl x509 -req -days 365 -in $REQ -signkey $KEY -out $CRT
>> # Copy it to the server
>> cp $CRT /etc/ssl/certs
>> cp $KEY /etc/ssl/private
>> 
>> 
>> -- 
>> Khalid M. Baheyeldin
>> 2bits.com, Inc.
>> Fast Reliable Drupal
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>> For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140420/24af6193/attachment.htm>


More information about the kwlug-disc mailing list