[Triumf-linux-managers] FYI - minimum key length for RapidSSL certificates
Andrew Daviel
advax at triumf.ca
Wed Apr 18 10:20:01 PDT 2012
FYI
Re. requesting commercial SSL certificates for public-facing webservers
Glenn Jones recently writes:
When I submitted the CSR, I got the following message back:
Your CSR contains a key size that is no longer considered secure.
Security best practices require a minimum key size of 2048 bits. Please
submit a new CSR with a minimum 2048 bit key size.
It seems that up to SL5, the default keylength in OpenSSL requests is
1024. In SL6, it is 2048.
On a per-request basis, this may be changed using e.g.
$ openssl req -new -newkey rsa:2048
or as the default by changing "default_bits" in /etc/pki/tls/openssl.cnf
I have updated the docs to suggest this keylength for TRIUMF
certificates, but do not require it.
FYI(2)
I have added a recipe for adding the TRIUMF root CA to the Sun Java
keystore :
https://trmail.triumf.ca/CA/linux-java.html
This should reduce security challenges from TRIUMF-signed Java objects
(Java applets must be signed to allow them to access the network or
filesystem) (On Windows, I beleive adding the TRIUMF CA to Internet
Explorer is sufficient as this is used as a system-wide keystore)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list