<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Oh and of course, ensure you’re using an openssl version not affected, or patched.<div><br><div><div>On Apr 20, 2014, at 1:47 PM, Jonathan Poole <<a href="mailto:jpoole@digitaljedi.ca">jpoole@digitaljedi.ca</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">How paranoid do you want to be?<div><br></div><div>At least 4096 IMHO, Computers are faster/stronger/ these days, higher bits shouldn’t generate too much load decrypting. </div><div><br></div><div>if you want, generate a new cert everyday if you want.</div><div><strong><br></strong></div><div><strong>openssl genrsa -out ca.key 4096</strong><br><div><div><p><strong>openssl req -new -x509 -days 180 -key ca.key -out ca.crt</strong></p></div><div><div>On Apr 20, 2014, at 1:12 PM, Khalid Baheyeldin <<a href="mailto:kb@2bits.com">kb@2bits.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><div><div>Needless to say that recent events and government actions warrants more paranoia ...<br><br></div>So, to that effect, what options should one use to have the SSH keys stronger?<br></div><div>How many bits? What options for ssh key gen should be used?<br>
<br></div>And for SSL certificates, what options do you use to make the certificates as strong as they can be?<br>For example, I use the following script for self signed certificates. How can this be improved?<br><br>#!/bin/sh<br>
<br>KEY=server.key<br>REQ=server.csr<br>CRT=server.crt<br><br>cd ~/cert<br># Generate a key<br>openssl genpkey -algorithm rsa -out $KEY<br># Generate a certificate signing request<br>openssl req -new -sha1 -nodes -key $KEY -out $REQ<br>
# Create a self signed certificate<br>openssl x509 -req -days 365 -in $REQ -signkey $KEY -out $CRT<br># Copy it to the server<br>cp $CRT /etc/ssl/certs<br>cp $KEY /etc/ssl/private<br><br clear="all"><div><br>-- <br>
Khalid M. Baheyeldin<br><a href="http://2bits.com/" target="_blank">2bits.com</a>, Inc.<br>Fast Reliable Drupal<br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>
Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken<br>
</div></div>
_______________________________________________<br>kwlug-disc mailing list<br><a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a><br><a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br></blockquote></div><br></div></div></div>_______________________________________________<br>kwlug-disc mailing list<br><a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a><br>http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org<br></blockquote></div><br></div></body></html>