Re: best practice for creating a CA cert?

Mon, 29 Sep 2014 09:17:09 -0700 

Out of general interest,

Assuming a "low e" (such as e=65537) RSA public key, how big is the
cost of going from a 2048 bit to a 4096 bit modulus for an
intermediary CA, given that verifications will significantly
outnumber signings for a CA key?

On 29/09/2014 09:26, Kyle Hamilton wrote:
Generally, a client doesn't bother checking a certificate that's in its local trust store. The idea is, if it's in its trusted store, there's no need to verify its integrity, because the administrator already performed that verification.
Where this might have an impact is if your new certificate is cross-certified by another organization's root. You'll have to judge for yourself how likely this scenario might be for your environment.
On September 28, 2014 11:59:29 PM PDT, Jason Haar <jason_h...@trimble.com> wrote: 

    Hi there

    Due to the upcoming Google instigated phasing out of SHA-1, I'm looking
    at creating a new enterprise CA (ie internal only)

    If I just "click through" the defaults of "openssl ca", I'd probably end
    up with a 2048bit RSA, SHA-2 (256) cert. So my question is, should I
    future proof that by making it 4096bit and maybe SHA-2 (512)? (ie I want
    the CA to be viable for 10 years, not 5 years). What is the performance
    impact of increasing these values of the CA cert itself? I'd expect to
    still only sign 2048-bit, SHA-256 server/client certs - but is there a
    real performance downside to making the CA cert itself stronger? I don't
    care if the CA takes 30 seconds longer to sign a cert - but I'd really
    care if it made a web browser hang when talking to the resultant server
    cert ;-)



--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 <tel:+4531131610> 
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to