Out of general interest,
Assuming a "low e" (such as e=65537) RSA public key, how big is the
cost of going from a 2048 bit to a 4096 bit modulus for an
intermediary CA, given that verifications will significantly
outnumber signings for a CA key?
On 29/09/2014 09:26, Kyle Hamilton wrote:
Generally, a client doesn't bother checking a certificate that's in
its local trust store. The idea is, if it's in its trusted store,
there's no need to verify its integrity, because the administrator
already performed that verification.
Where this might have an impact is if your new certificate is
cross-certified by another organization's root. You'll have to judge
for yourself how likely this scenario might be for your environment.
On September 28, 2014 11:59:29 PM PDT, Jason Haar
<jason_h...@trimble.com> wrote:
Hi there
Due to the upcoming Google instigated phasing out of SHA-1, I'm looking
at creating a new enterprise CA (ie internal only)
If I just "click through" the defaults of "openssl ca", I'd probably end
up with a 2048bit RSA, SHA-2 (256) cert. So my question is, should I
future proof that by making it 4096bit and maybe SHA-2 (512)? (ie I want
the CA to be viable for 10 years, not 5 years). What is the performance
impact of increasing these values of the CA cert itself? I'd expect to
still only sign 2048-bit, SHA-256 server/client certs - but is there a
real performance downside to making the CA cert itself stronger? I don't
care if the CA takes 30 seconds longer to sign a cert - but I'd really
care if it made a web browser hang when talking to the resultant server
cert ;-)
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
<tel:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org