TWiki>
CF Web>CertMaintenanceCollapsed>IncludeCertGeneratePrivateKey (2016-06-17, AdrianPepper)
EditAttach
CF Web>CertMaintenanceCollapsed>IncludeCertGeneratePrivateKey (2016-06-17, AdrianPepper) EditAttachGenerating a New Private Key
To see how this inclusion page fits in with similar ones, perhaps see one of
Generate a New Private Key
| IncludeCertGeneratePrivateKey |
www or smmsp.
Generating a new key should be done in a private subdirectory;
the one containing the old key is an appropriate choice.
(But don't clobber the old key).
To generate a new private key, you can use the openssl command.
Here we generate a 2048-bit key, placing it in file new2048.key.
cscf.cs% openssl genrsa -out new2048.key 2048 Generating RSA private key, 2048 bit long modulus ........+++ .................................................................+++ e is 65537 (0x10001) cscf.cs%The
openssl command tends to be on a normal user path, and has
subcommands useful for examining and working with SSL certificates
and their components.
As of 2011, GlobalSign Incorporated, the certificate authority chosen
by the University of Waterloo, requires a key (pair) of at least
2048 bits. Note the last argument on the command-line "2048".
You should use an appropriate umask to ensure the privacy of
the private key, but it's probably
sufficient to chmod afterwards. If it is necessary to transfer
a private key to another machine or user, be careful how you do it.
Note
In the past we would frequently re-use the old private key and use it to generate a new CSR when renewing a certificate. In fact, we began to assume that process, essentially generating a new expiry date for an existing public key, was what "renewing" meant. When GlobalSign required a change from 1024 to 2048 bit keys, that clearly could not be done. But furthermore, today (Wed May 11, 2011), http://www.globalsign.com/support/csrgen.php includes the statement For higher server security GlobalSign does not allow reusing private keys. You must create a new key pair.That is, this process should almost certainly not be considered optional anymore. |
| In even more recent years, the above URL stopped returning such a definitive statement, and the requirement appears to have been removed. That might be because some products using SSL make it difficult to use a different private key. So whether this process is optional seems to depend on the software involved. It seems good practice to change the private key at each renewal, if possible. |
-- AdrianPepper - 17 June 2016
| IncludeAdrianReferers |
Referers
This topic IncludeCertGeneratePrivateKey is referred to by...Topic revision: r9 - 2016-06-17 - AdrianPepper
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback