Documentation for Apache-SSL key creation

Wed, 16 May 2012 13:25:47 -0700 

Hi all,

While making a self-signed key for use with Apache I noticed that the
FAQ recommends deprecated crypto (RSA-1024 and SHA1).  I chose instead
RSA-4096 and sha256.  A couple patches for the website and manual page
are below.

You can see an example of the resulting cert on my personal site (no
linkspam), which works fine with both xxxterm and Firefox.

Any problems with this?

Nicolai

--- faq10.html.orig     Tue May  1 09:42:54 2012
+++ faq10.html  Wed May 16 14:20:36 2012
@@ -486,7 +486,7 @@
 OpenSSL:

 <blockquote><pre>
-# <b>openssl genrsa -out /etc/ssl/private/server.key 1024</b>
+# <b>openssl genrsa -out /etc/ssl/private/server.key 4096</b>
 </pre></blockquote>

 <p>
@@ -494,7 +494,7 @@
 have to type in when starting servers

 <blockquote><pre>
-# <b>openssl genrsa -des3 -out /etc/ssl/private/server.key 1024</b>
+# <b>openssl genrsa -des3 -out /etc/ssl/private/server.key 4096</b>
 </pre></blockquote>

 <p>
@@ -517,7 +517,7 @@
 yourself, you can use the following.

 <blockquote><pre>
-# <b>openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
+# <b>openssl x509 -sha256 -req -days 365 -in /etc/ssl/private/server.csr \
        -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt</b>
 </pre></blockquote>




--- ssl.8.orig  Wed Aug 17 10:55:25 2011
+++ ssl.8       Wed May 16 14:59:05 2012
@@ -110,13 +110,13 @@
 .Ar RSA
 certificate.
 .Bd -literal -offset indent
-# openssl genrsa -out /etc/ssl/private/server.key 1024
+# openssl genrsa -out /etc/ssl/private/server.key 4096
 .Ed
 .Pp
 Or, if you wish the key to be encrypted with a passphrase that you will
 have to type in when starting servers
 .Bd -literal -offset indent
-# openssl genrsa -des3 -out /etc/ssl/private/server.key 1024
+# openssl genrsa -des3 -out /etc/ssl/private/server.key 4096
 .Ed
 .Pp
 The next step is to generate a
@@ -139,8 +139,9 @@
 .Pp
 You can also sign the key yourself, using the command:
 .Bd -literal -offset indent
-# openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \e
-  -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
+# openssl x509 -sha256 -req -days 365 -in \e
+  /etc/ssl/private/server.csr -signkey \e
+  /etc/ssl/private/server.key -out /etc/ssl/server.crt
 .Ed
 .Pp
 With

Reply via email to