1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

doc: Spice up generated CA

Use AES (the successor of DES) to encrypt private key. Further
reading:

 * http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
 * https://ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf
   "3DES provides about 112 bits of security. This is below the
    recommended minimum of 128 bits, but it's still strong enough. A
    bigger practical problem is that 3DES is much slower than the
    alternatives. Thus, we don't recommend it for performance reasons,
    but it can be kept at the end of the cipher list for
    interoperability with very old clients."

 * http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf

Use SHA256 for our CA. This avoids accidental use of SHA1 or MD5 which
could be default values.

Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
This commit is contained in:
Lorenz Leutgeb 2015-01-04 21:15:30 +01:00
parent f957f258d7
commit a3d5f874c1

View file

@ -30,14 +30,14 @@ First, initialize the CA serial file and generate CA private and public
keys:
$ echo 01 > ca.srl
$ openssl genrsa -des3 -out ca-key.pem 2048
$ openssl genrsa -aes256 -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
......+++
...............+++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.