Generating a New Private Key
To see how this inclusion page fits in with similar ones, perhaps see one of
Generate a New Private Key
Note that private keys must be kept as secret as possible.
Files containing private keys should preferably be readable only
by superuser (or perhaps
an equivalent service userid e.g.
www or
smmsp.
Generating a new key should be done in a private subdirectory;
the one containing the old key is an appropriate choice.
(But don't clobber the old key).
To generate a new private key, you can use the
openssl command.
Here we generate a 2048-bit key, placing it in file
new2048.key.
cscf.cs% openssl genrsa -out new2048.key 2048
Generating RSA private key, 2048 bit long modulus
........+++
.................................................................+++
e is 65537 (0x10001)
cscf.cs%
The
openssl command tends to be on a normal user path, and has
subcommands useful for examining and working with SSL certificates
and their components.
As of 2011,
GlobalSign Incorporated, the certificate authority chosen
by the University of Waterloo, requires a key (pair) of at least
2048 bits. Note the last argument on the command-line "2048".
You should use an appropriate
umask to ensure the privacy of
the private key, but it's probably
sufficient to
chmod afterwards. If it is necessary to transfer
a private key to another machine or user, be careful how you do it.
Note
In the past we would frequently re-use the old private key and use it to generate a new CSR when renewing a certificate. In fact, we began to assume that process, essentially generating a new expiry date for an existing public key, was what "renewing" meant. When GlobalSign required a change from 1024 to 2048 bit keys, that clearly could not be done. But furthermore, today (Wed May 11, 2011), http://www.globalsign.com/support/csrgen.php includes the statement For higher server security GlobalSign does not allow reusing private keys. You must create a new key pair. That is, this process should almost certainly not be considered optional anymore. |
| In even more recent years, the above URL stopped returning such a definitive statement, and the requirement appears to have been removed. That might be because some products using SSL make it difficult to use a different private key. So whether this process is optional seems to depend on the software involved. It seems good practice to change the private key at each renewal, if possible. |
--
AdrianPepper - 17 June 2016
Referers
This topic IncludeCertGeneratePrivateKey is referred to by...
CF Web>CertMaintenanceCollapsed>IncludeCertGeneratePrivateKey (2016-06-17, AdrianPepper)
EditAttach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.