On 9/20/2010 12:57 PM, Bhuvaneswaran A wrote: > Ref: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#keysize > > In Apache 2.2.11, as far as I tested, the use of 2048 bit server > certificate is supported. > [bhu...@cu062 CERTS]$ openssl rsa -noout -text -in server2048.key|grep key -i > Private-Key: (2048 bit) > > However the following FAQ item is misleading. > ------------------------------------------------------------- > Why does my 2048-bit private key not work? > > The private key sizes for SSL must be either 512 or 1024 bits, for > compatibility with certain web browsers. A keysize of 1024 bits is > recommended because keys larger than 1024 bits are incompatible with > some versions of Netscape Navigator and Microsoft Internet Explorer, > and with other browsers that use RSA's BSAFE cryptography toolkit. > ------------------------------------------------------------- > > Either the FAQ item should be removed, or fixed as follows: > ------------------------------------------------------------- > May I use 2048-bit private key? > > Yes, you can use 2048-bit private key. However, the keysize of 1024 > bits is recommended. because keys larger than 1024 bits are > incompatible with some versions of Netscape Navigator and Microsoft > Internet Explorer, and with other browsers that use RSA's BSAFE > cryptography toolkit. > ------------------------------------------------------------- > +1
Bear in mind that many TTPs are no longer issuing signed certs with less than a 2048 bit modulus. Issac --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
