> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of jim.armstrong > > openssl version -a returns OpenSSL 0.9.8g - Platform: debian-i386-i686/cmov > > There's an existing csr file on the server. Can I use this csr file or do I > need to generate a new one? All the info on the existing file is accurate > and it's 2048 bit. So no changes need to be made to it. If I needed to > generate a new one. I'd simply use the existing one to fill out the fields.
If you generate a CSR, and let's suppose it's valid for 1 year, so a year later you return to the same directory where you previously created your CSR, and you're now considering reusing last year's private key and CSR, as opposed to generating a new private key and a new CSR exactly like you did last time... You *can* reuse last year's CSR, but you shouldn't. The more data you encrypt using a specific key, the more prone it will be to attack. The whole time you're using your key, it's conceivable somebody's listening to all the data, looking for signs of collision, and the more data you encrypt with it, the more likely an eventual collision actually is. A collision doesn't automatically give up data, but it can't help, it can only harm. So you want to avoid it, however improbable and however insignificant it probably is. I forget exactly how to calculate the amount of encrypted data before expected collision, but it's not astronomical. It is worldly. If you set your servers to busy work trying to accidentally run into a collision, you can do it. The amount of data calculation is in one of my text books, but the point is: There's no good reason to reuse last year's key; and however improbable and however insignificant the possibility of problems, there is a good reason to generate a new one. Which then necessitates a new CSR. It is best practice to generate a new key & CSR. Don't reuse last year's, even though you can. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
