Re: Documentation for Apache-SSL key creation

Fri, 25 May 2012 13:30:27 -0700 

On Wed, May 16, 2012 at 03:14:54PM -0500, Nicolai wrote:
> Hi all,
> 
> While making a self-signed key for use with Apache I noticed that the
> FAQ recommends deprecated crypto (RSA-1024 and SHA1).  I chose instead
> RSA-4096 and sha256.  A couple patches for the website and manual page
> are below.
> 
> You can see an example of the resulting cert on my personal site (no
> linkspam), which works fine with both xxxterm and Firefox.
> 
> Any problems with this?
> 
> Nicolai
> 

changes committed, thanks.
jmc

> --- faq10.html.orig     Tue May  1 09:42:54 2012
> +++ faq10.html  Wed May 16 14:20:36 2012
> @@ -486,7 +486,7 @@
>  OpenSSL:
> 
>  <blockquote><pre>
> -# <b>openssl genrsa -out /etc/ssl/private/server.key 1024</b>
> +# <b>openssl genrsa -out /etc/ssl/private/server.key 4096</b>
>  </pre></blockquote>
> 
>  <p>
> @@ -494,7 +494,7 @@
>  have to type in when starting servers
> 
>  <blockquote><pre>
> -# <b>openssl genrsa -des3 -out /etc/ssl/private/server.key 1024</b>
> +# <b>openssl genrsa -des3 -out /etc/ssl/private/server.key 4096</b>
>  </pre></blockquote>
> 
>  <p>
> @@ -517,7 +517,7 @@
>  yourself, you can use the following.
> 
>  <blockquote><pre>
> -# <b>openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
> +# <b>openssl x509 -sha256 -req -days 365 -in /etc/ssl/private/server.csr \
>         -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt</b>
>  </pre></blockquote>
> 
> 
> 
> 
> --- ssl.8.orig  Wed Aug 17 10:55:25 2011
> +++ ssl.8       Wed May 16 14:59:05 2012
> @@ -110,13 +110,13 @@
>  .Ar RSA
>  certificate.
>  .Bd -literal -offset indent
> -# openssl genrsa -out /etc/ssl/private/server.key 1024
> +# openssl genrsa -out /etc/ssl/private/server.key 4096
>  .Ed
>  .Pp
>  Or, if you wish the key to be encrypted with a passphrase that you will
>  have to type in when starting servers
>  .Bd -literal -offset indent
> -# openssl genrsa -des3 -out /etc/ssl/private/server.key 1024
> +# openssl genrsa -des3 -out /etc/ssl/private/server.key 4096
>  .Ed
>  .Pp
>  The next step is to generate a
> @@ -139,8 +139,9 @@
>  .Pp
>  You can also sign the key yourself, using the command:
>  .Bd -literal -offset indent
> -# openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \e
> -  -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
> +# openssl x509 -sha256 -req -days 365 -in \e
> +  /etc/ssl/private/server.csr -signkey \e
> +  /etc/ssl/private/server.key -out /etc/ssl/server.crt
>  .Ed
>  .Pp
>  With

Reply via email to