Best pratices for creating an SSL certificate

To: tech-security%NetBSD.org@localhost
Subject: Best pratices for creating an SSL certificate
From: Matthias Scheler <tron%zhadum.org.uk@localhost>
Date: Tue, 30 Aug 2011 18:21:09 +0100

        Hello,

I would like to use OpenSSL to create an SSL certificate for an
Internet service and spend a bit of money to get it signed by one
of the usual certificate authorities.

Before I spend the money I would like to make sure that I create a
sensible (secure) certificate. In the past I've used something like this:

[ req ]
default_bits            = 2048
default_days            = 380
default_md              = sha1

prompt                  = no
distinguished_name      = foo_bar_distinguished_name

x509_extensions         = foo_bar_extensions

[ foo_bar_distinguished_name ]
commonName              = some.name
stateOrProvinceName     = Some State
countryName             = UK
emailAddress            = where%ev.er@localhost
organizationName        = Foo Bar

[ foo_bar_extensions ]
basicConstraints        = CA:false

Are these settings safe enough? Is a stronger message digest algorithm
than SHA1 widely support? Should I switch of MD5 and how?

        Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/

Follow-Ups:
- Re: Best pratices for creating an SSL certificate
  - From: Steven Bellovin

Prev by Date: Re: ssss and random(3)
Next by Date: Re: Best pratices for creating an SSL certificate
Previous by Thread: ssss and random(3)
Next by Thread: Re: Best pratices for creating an SSL certificate
Indexes:

Home | Main Index | Thread Index | Old Index