This diff changes the ssl(8) man page to use a key size of 2048 bits when generating the RSA private key for use with httpd. Increasing numbers of CAs will no longer accept 1024-bit RSA CSRs as a response to NIST's draft publication SP800-57 "Recommendation for Key Management."
In addition, it changes the recommended algorithm for encrypting the private key from 3DES to AES-256. Thoughts? Lawrence Index: ssl.8 =================================================================== RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.46 diff -u -p -r1.46 ssl.8 --- ssl.8 26 Mar 2010 19:30:40 -0000 1.46 +++ ssl.8 2 Sep 2011 03:04:03 -0000 @@ -94,7 +94,7 @@ directory, with the keys in the directory. .Pp Private keys can be encrypted using -.Ar 3DES +.Ar AES and a passphrase to protect their integrity should the encrypted file be disclosed. However, it is important to note that encrypted server keys mean that the @@ -110,13 +110,13 @@ you will need to generate an .Ar RSA certificate. .Bd -literal -offset indent -# openssl genrsa -out /etc/ssl/private/server.key 1024 +# openssl genrsa -out /etc/ssl/private/server.key 2048 .Ed .Pp Or, if you wish the key to be encrypted with a passphrase that you will have to type in when starting servers .Bd -literal -offset indent -# openssl genrsa -des3 -out /etc/ssl/private/server.key 1024 +# openssl genrsa -aes256 -out /etc/ssl/private/server.key 2048 .Ed .Pp The next step is to generate a
