Jason Antonacci: Clever Guy

In my May 2011 post " SSL Management Tasks " I included some partially automated scripts for openssl on Windows and Linux/UNIX.  This is a more in depth look at certain openssl tasks and the associated commands. Private Keys - Public-key (or asymmetric) cryptography uses private keys to decrypt messages and public keys to encrypt them. Generating a private key is the first step to creating a certificate signing request or a self-signed certificate. Run the openssl command: $ openssl genrsa -out private.key 2048 Explaining the openssl command options in order: " genrsa " The standard openssl command to create a new key using the RSA algorithm. There are other algorithms available, however RSA is preferred. " 2048 " Use a custom 2048 bit modulus. If omitted, the default is an unacceptable 512 bits. The modulus is essentially the key's size: larger keys equal stronger encryption. Certificate Authorities generally do not accept values greater th

In August 2012, Microsoft published an optional update KB2661254 titled "Update For Minimum Certificate Key Length".  Rereleased in October as recommended, Windows Automatic Updates applied it to all systems with the following options set: The minimum SSL certificate key length was increased from 512 bits to 1024 bits.  The minimum key length cannot be bypassed using IE's "Continue to this website[...]" option despite the message being displayed.  Many self-signed SSL certificates created with openssl's default modulus are now effectively Internet Explorer incompatible. Available workarounds include uninstalling KB2661254 and generating new server SSL certificates.  When generating new private keys, use a 2048 bit modulus.  Today's 1024 bit acceptable minimum key, will eventually be vulnerable too.  And while 4096 bit keys are an option, many certificate authorities will not sign those requests.