Generating a New Private Key

To see how this inclusion page fits in with similar ones, perhaps see one of

Generate a New Private Key

IncludeCertGeneratePrivateKey
Note that private keys must be kept as secret as possible. Files containing private keys should preferably be readable only by superuser (or perhaps an equivalent service userid e.g. www or smmsp. Generating a new key should be done in a private subdirectory; the one containing the old key is an appropriate choice. (But don't clobber the old key).

To generate a new private key, you can use the openssl command. Here we generate a 2048-bit key, placing it in file new2048.key.

   cscf.cs% openssl genrsa -out new2048.key   2048
   Generating RSA private key, 2048 bit long modulus
   ........+++
   .................................................................+++
   e is 65537 (0x10001)
   cscf.cs% 
The openssl command tends to be on a normal user path, and has subcommands useful for examining and working with SSL certificates and their components.

As of 2011, GlobalSign Incorporated, the certificate authority chosen by the University of Waterloo, requires a key (pair) of at least 2048 bits. Note the last argument on the command-line "2048".

You should use an appropriate umask to ensure the privacy of the private key, but it's probably sufficient to chmod afterwards. If it is necessary to transfer a private key to another machine or user, be careful how you do it.

Note

In the past we would frequently re-use the old private key and use it to generate a new CSR when renewing a certificate. In fact, we began to assume that process, essentially generating a new expiry date for an existing public key, was what "renewing" meant. When GlobalSign required a change from 1024 to 2048 bit keys, that clearly could not be done. But furthermore, today (Wed May 11, 2011), http://www.globalsign.com/support/csrgen.php includes the statement
For higher server security GlobalSign does not allow reusing private keys. You must create a new key pair.
That is, this process should almost certainly not be considered optional anymore.

In even more recent years, the above URL stopped returning such a definitive statement, and the requirement appears to have been removed. That might be because some products using SSL make it difficult to use a different private key. So whether this process is optional seems to depend on the software involved. It seems good practice to change the private key at each renewal, if possible.

-- AdrianPepper - 17 June 2016


IncludeAdrianReferers

Referers

This topic IncludeCertGeneratePrivateKey is referred to by...
Topic revision: r9 - 2016-06-17 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback