Re: Best pratices for creating an SSL certificate

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Tue, Aug 30, 2011 at 09:04:33PM +0100, Matthias Scheler wrote:
> On Tue, Aug 30, 2011 at 01:29:18PM -0400, Steven Bellovin wrote:
> > What you've specified -- 2048-bit RSA with SHA-1 -- is about as strong
> > as is generally usable.
> 
> Good.
> 
> >  A longer modulus is too expensive for some devices
> 
> Yes, quite likely as some of the device will be smart phones.

Unfortunately, there has been a mad rush to 2048 bit keys when an
intermediate length like 1280 would work just fine.  Many browsers
will no longer *accept* any keys shorter than 2048 without throwing
a warning.  The result, in my opinion, is a net reduction in security
because the performance reduction on the server side from using 2048
bit keys is a major impediment to simply using HTTPS all the time and
HTTP never.

The way out of the hole is EC.  However, last I checked it was quite
hard to actually get an EC certificate signed by a certificate
authority.  I wonder whether this has changed.

> > MD5 should never be used; it's far too weak.
> 
> I know. But can I enforce that by disabling MD5 on the certificate?

No, I am unaware of any way to do so.  However, you need to ensure that
the hash algorithm used on the certificate *itself* is SHA1, not MD5.
This is an OpenSSL option on the Certificate Signing Request and should
be honored by the signing Certificate Authority, which is to say, they
should sign with an algorithm no weaker than that you used on the CSR
(check! if it's not, demand your money back!).

Thor