On Thu, Sep 01, 2011 at 11:20:32PM -0400, Lawrence Teo wrote: > This diff changes the ssl(8) man page to use a key size of 2048 bits > when generating the RSA private key for use with httpd. Increasing > numbers of CAs will no longer accept 1024-bit RSA CSRs as a response to > NIST's draft publication SP800-57 "Recommendation for Key Management." > > In addition, it changes the recommended algorithm for encrypting the > private key from 3DES to AES-256. > > Thoughts? > > Lawrence >
fixed, thanks. jmc > > Index: ssl.8 > =================================================================== > RCS file: /cvs/src/share/man/man8/ssl.8,v > retrieving revision 1.46 > diff -u -p -r1.46 ssl.8 > --- ssl.8 26 Mar 2010 19:30:40 -0000 1.46 > +++ ssl.8 2 Sep 2011 03:04:03 -0000 > @@ -94,7 +94,7 @@ directory, with the keys in the > directory. > .Pp > Private keys can be encrypted using > -.Ar 3DES > +.Ar AES > and a passphrase to protect their integrity should the encrypted file > be disclosed. > However, it is important to note that encrypted server keys mean that the > @@ -110,13 +110,13 @@ you will need to generate an > .Ar RSA > certificate. > .Bd -literal -offset indent > -# openssl genrsa -out /etc/ssl/private/server.key 1024 > +# openssl genrsa -out /etc/ssl/private/server.key 2048 > .Ed > .Pp > Or, if you wish the key to be encrypted with a passphrase that you will > have to type in when starting servers > .Bd -literal -offset indent > -# openssl genrsa -des3 -out /etc/ssl/private/server.key 1024 > +# openssl genrsa -aes256 -out /etc/ssl/private/server.key 2048 > .Ed > .Pp > The next step is to generate a
