[kwlug-disc] Stronger SSH keys and SSL certificates
Jonathan Poole
jpoole at digitaljedi.ca
Sun Apr 20 13:50:39 EDT 2014
Oh and of course, ensure you’re using an openssl version not affected, or patched.
On Apr 20, 2014, at 1:47 PM, Jonathan Poole <jpoole at digitaljedi.ca> wrote:
> How paranoid do you want to be?
>
> At least 4096 IMHO, Computers are faster/stronger/ these days, higher bits shouldn’t generate too much load decrypting.
>
> if you want, generate a new cert everyday if you want.
>
> openssl genrsa -out ca.key 4096
> openssl req -new -x509 -days 180 -key ca.key -out ca.crt
>
> On Apr 20, 2014, at 1:12 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>
>> Needless to say that recent events and government actions warrants more paranoia ...
>>
>> So, to that effect, what options should one use to have the SSH keys stronger?
>> How many bits? What options for ssh key gen should be used?
>>
>> And for SSL certificates, what options do you use to make the certificates as strong as they can be?
>> For example, I use the following script for self signed certificates. How can this be improved?
>>
>> #!/bin/sh
>>
>> KEY=server.key
>> REQ=server.csr
>> CRT=server.crt
>>
>> cd ~/cert
>> # Generate a key
>> openssl genpkey -algorithm rsa -out $KEY
>> # Generate a certificate signing request
>> openssl req -new -sha1 -nodes -key $KEY -out $REQ
>> # Create a self signed certificate
>> openssl x509 -req -days 365 -in $REQ -signkey $KEY -out $CRT
>> # Copy it to the server
>> cp $CRT /etc/ssl/certs
>> cp $KEY /etc/ssl/private
>>
>>
>> --
>> Khalid M. Baheyeldin
>> 2bits.com, Inc.
>> Fast Reliable Drupal
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. -- Leonardo da Vinci
>> For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140420/24af6193/attachment.htm>
More information about the kwlug-disc
mailing list