doc: Spice up generated CA
Use AES (the successor of DES) to encrypt private key. Further
reading:
* http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
* https://ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf
"3DES provides about 112 bits of security. This is below the
recommended minimum of 128 bits, but it's still strong enough. A
bigger practical problem is that 3DES is much slower than the
alternatives. Thus, we don't recommend it for performance reasons,
but it can be kept at the end of the cipher list for
interoperability with very old clients."
* http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf
Use SHA256 for our CA. This avoids accidental use of SHA1 or MD5 which
could be default values.
Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
Lorenz Leutgeb authored on 2015/01/05 05:15:30Showing 1 changed files
| ... | ... |
@@ -30,14 +30,14 @@ First, initialize the CA serial file and generate CA private and public |
| 30 | 30 |
keys: |
| 31 | 31 |
|
| 32 | 32 |
$ echo 01 > ca.srl |
| 33 |
- $ openssl genrsa -des3 -out ca-key.pem 2048 |
|
| 33 |
+ $ openssl genrsa -aes256 -out ca-key.pem 2048 |
|
| 34 | 34 |
Generating RSA private key, 2048 bit long modulus |
| 35 | 35 |
......+++ |
| 36 | 36 |
...............+++ |
| 37 | 37 |
e is 65537 (0x10001) |
| 38 | 38 |
Enter pass phrase for ca-key.pem: |
| 39 | 39 |
Verifying - Enter pass phrase for ca-key.pem: |
| 40 |
- $ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem |
|
| 40 |
+ $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem |
|
| 41 | 41 |
Enter pass phrase for ca-key.pem: |
| 42 | 42 |
You are about to be asked to enter information that will be incorporated |
| 43 | 43 |
into your certificate request. |