Re: Best pratices for creating an SSL certificate

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On Aug 30, 2011, at 1:21 09PM, Matthias Scheler wrote:

> 
>       Hello,
> 
> I would like to use OpenSSL to create an SSL certificate for an
> Internet service and spend a bit of money to get it signed by one
> of the usual certificate authorities.
> 
> Before I spend the money I would like to make sure that I create a
> sensible (secure) certificate. In the past I've used something like this:
> 
> [ req ]
> default_bits          = 2048
> default_days          = 380
> default_md            = sha1
> 
> prompt                        = no
> distinguished_name    = foo_bar_distinguished_name
> 
> x509_extensions               = foo_bar_extensions
> 
> [ foo_bar_distinguished_name ]
> commonName            = some.name
> stateOrProvinceName   = Some State
> countryName           = UK
> emailAddress          = where%ev.er@localhost
> organizationName      = Foo Bar
> 
> [ foo_bar_extensions ]
> basicConstraints      = CA:false
> 
> Are these settings safe enough? Is a stronger message digest algorithm
> than SHA1 widely support? Should I switch of MD5 and how?
> 
What you've specified -- 2048-bit RSA with SHA-1 -- is about as strong
as is generally usable.  A longer modulus is too expensive for some devices
(or, quite possibly, for your server, if you have many clients); besides,
well before that the weak point is the software, not the crypto.  MD5
should never be used; it's far too weak.  SHA-1 has its weaknesses but
they're still too expensive to represent a general threat, and too many
clients don't support anything stronger (SHA-256/384/512 -- SHA-3 hasn't
yet been picked, though the process is approaching its end).


                --Steve Bellovin, https://www.cs.columbia.edu/~smb