Results 1 to 7 of 7

Thread: SSL Cert and CSR: Best practices?

  1. #1
    Join Date
    Jan 2008
    Beans
    91

    SSL Cert and CSR: Best practices?

    I'm about to create a CSR and was reading this page in the Ubuntu docs:
    https://help.ubuntu.com/10.04/server...-security.html

    A couple of things:
    * There's no date on the article. The documentation needs DATES because this information gets out of date! Check MySQL docs, for instance -- they are organized by version.
    * The instructions for generating a cert only specify 2048 bits. I believe that's kind of out of date? The verisign site has big red warnings saying you need 2048 if you want your cert to last past 2013 -- and that article is 4 years old!
    * The instructions are confusing when discussing the passphrase. We enter a passphrase only to remove it immediately. We need some clarity here. Why do this?

    Can anyone help me to understand the current best practices for generating an HTTPS cert for apache and/or mail access?

  2. #2
    Join Date
    Aug 2011
    Beans
    26

    Re: SSL Cert and CSR: Best practices?

    Here's a good howto about certificate generation:
    http://www.akadia.com/services/ssh_t...rtificate.html

    The 2048 bit encryption is the one preferred these days

    java tutorials
    Last edited by dinu90; January 5th, 2012 at 08:27 AM.

  3. #3
    Join Date
    Jan 2008
    Beans
    91

    Re: SSL Cert and CSR: Best practices?

    Thanks for your response. I've already created my key, a csr, and a self-signed cert. I'm sort of wondering about some more specific issues that how to simply create it:
    * Does the US Government impose any restrictions on the size of one's encryption key? I know that the US Government restricts the export of encryption technology, purportedly as a matter of national security. That document I linked is not particularly helpful.
    * Hasn't DES been superceded by AES? I've seen a variety of links talking about threats to DES and that DES3 is a band aid of sorts.
    * Is there any risk if some bad person obtains a copy of my certificate signing request? If so, what is the nature of this risk?

    And one other question:
    * Must I revoke an existing certificate for www.mydomain.com before obtaining a new one?

  4. #4
    Join Date
    Apr 2009
    Beans
    17

    Re: SSL Cert and CSR: Best practices?

    Answering just a few of your questions:

    Quote Originally Posted by sneakyimp View Post
    * Hasn't DES been superceded by AES? I've seen a variety of links talking about threats to DES and that DES3 is a band aid of sorts.
    Yes, I'd use AES over 3DES. DES is only a 56 bit key, so avoid that for sure these days.

    Quote Originally Posted by sneakyimp View Post
    * Is there any risk if some bad person obtains a copy of my certificate signing request? If so, what is the nature of this risk?
    Not really. The certificate signing request doesn't contain your private key, which is the part you need to keep protected. Your CSR will have much of the same information as your public certificate itself.

    Quote Originally Posted by sneakyimp View Post
    * Must I revoke an existing certificate for www.mydomain.com before obtaining a new one?
    No, you can have multiple certificates valid at the same time. Revoking is generally used when someone steals your private key.

  5. #5
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: SSL Cert and CSR: Best practices?

    Quote Originally Posted by sneakyimp View Post
    Must I revoke an existing certificate for www.mydomain.com before obtaining a new one?
    In your case, that is if we're talking about a certain thread elsewhere, the meaning of "must" changes significantly IMO: 0) if your private key was left on the system unprotected and you 1) can not determine if it could have been siphoned of said system and 2) given your intention to provide paying customers with a safe and trustworthy environment to conduct business in I would argue against not revoking that certificate.

  6. #6

    Re: SSL Cert and CSR: Best practices?

    Quote Originally Posted by sneakyimp View Post
    The documentation needs DATES because this information gets out of date! Check MySQL docs, for instance -- they are organized by version.
    lol

    You do realize that the link you posted shows:
    https://help.ubuntu.com/10.04/server...-security.html

  7. #7
    Join Date
    Jan 2008
    Beans
    91

    Re: SSL Cert and CSR: Best practices?

    OK yes I see now that the version is in the URL (and also listed quite small at the top) but there is no *date* on the article and it only uses 1024-bit keys which makes me think it's out of date.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •