From a3d5f874c108d3e7d58a7f86c0ef0eea6fcca85f Mon Sep 17 00:00:00 2001 From: Lorenz Leutgeb Date: Sun, 4 Jan 2015 21:15:30 +0100 Subject: [PATCH] doc: Spice up generated CA Use AES (the successor of DES) to encrypt private key. Further reading: * http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf * https://ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf "3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it's still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don't recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients." * http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf Use SHA256 for our CA. This avoids accidental use of SHA1 or MD5 which could be default values. Signed-off-by: Lorenz Leutgeb --- docs/sources/articles/https.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sources/articles/https.md b/docs/sources/articles/https.md index ab5ed2095c..834206b0b4 100644 --- a/docs/sources/articles/https.md +++ b/docs/sources/articles/https.md @@ -30,14 +30,14 @@ First, initialize the CA serial file and generate CA private and public keys: $ echo 01 > ca.srl - $ openssl genrsa -des3 -out ca-key.pem 2048 + $ openssl genrsa -aes256 -out ca-key.pem 2048 Generating RSA private key, 2048 bit long modulus ......+++ ...............+++ e is 65537 (0x10001) Enter pass phrase for ca-key.pem: Verifying - Enter pass phrase for ca-key.pem: - $ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem + $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem Enter pass phrase for ca-key.pem: You are about to be asked to enter information that will be incorporated into your certificate request.