[Triumf-linux-managers] recommended minima in /etc/pki/tls/openssl.cnf
Konstantin Olchanski
olchansk at triumf.ca
Fri Mar 20 15:20:12 PDT 2015
On Thu, Mar 19, 2015 at 06:50:57PM -0700, Andrew Daviel wrote:
>
> To obtain the current-good-practice strength of SSL keys, you should
> set these defaults in /etc/pki/tls/openssl.cnf
>
> [ req ]
> default_bits = 2048
> default_md = sha256
>
> [ CA_default ]
> default_md = sha256 # which md to use.
>
> Other defaults may be set to TRIUMF, BC etc. so as to generate
> server certificate requests with pre-filled fields, so this file may
> not match the original RPM.
Alternatively, explicitely specify the correct settings for RSA key length (-newkey rsa:2048)
and signature (-sha256 in both commands):
make request: openssl req -new -nodes -newkey rsa:2048 -sha256 -out ladd09.csr -keyout ladd09.key (answer: CA, BC, Vancouver, TRIUMF, DAQ, ladd09.triumf.ca, email at email.com
sign it by TRIUMF: Mail -s "Andrew, please sign and return to email at email.com" andrew at email.com < ladd09.csr
sign it yourself: openssl x509 -req -days 365 -sha256 -in ladd09.csr -signkey ladd09.key -out ladd09.crt
--
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
More information about the Triumf-linux-managers
mailing list