Which encryption AES/DES should i use for private key for ssl certificate?

ssl openssl certificate rsa
20,608

The encryption param of openssl genrsa command is used to specify which algorithm to use for encrypting your private key (using the password you specify).

CSR (Certificate Signing Request) includes your public key and some additional public information to be included into certificate. CSR never includes a private key.

So, choice of algorithm for encrypting the private key is completely unrelated to CSR. Choose whatever you prefer. AES variants and Triple-DES (-des3) should be preferred; plain DES is usually considered not secure these days. Also see why AES is more secure than DES. But I think algorithm choice in this particular case is not as important as using a strong password and protecting it.

Note: remember that if you protect your private key with a password, you will be prompted to enter the password every time you want to access the private key, such as when starting your web server. If you forget the password, your private key is effectively lost and you must generate a new key and request a new certificate. You could generate a private key without encryption (without password): openssl genrsa -out filename.key 2048. It is also possible to remove the password (effectively, store it unencrypted) at any time using command like this: openssl rsa -in encrypted.key -out unencrypted.key. You’ll need the password for that (you will be prompted to enter it).

Share:
20,608
avasin
Author by

avasin

Updated on January 13, 2020

Comments

  • avasin
    avasin over 4 years

    I've just bought comodo essential wildcard certificate, they asked me to generate csr to activate it.

    As i understood, i need to:

    1. Generate RSA 2048bit private key
    2. Generate CSR based on it

    As i see, openssl genrsa command accepts different encryption params:

    • -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
    • -aes128,
    • -aes192,
    • -aes256

    What should i use?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Error while creating self-signed SSL certificate
OpenSSL Verify Peer (Client) Certificate in C++
SSL certificate not accepted
Use RSA public key to generate private key in Openssl?
SSL certificate generated with OpenSSL not working on NSS
Parameters to create a self-signed DSA certificate on Ubuntu 12.04?
Unable to load Key pair from p12 certificate - OPENSSL error
SSL issue: The private key did not match the public key provided
Can't verify an openssl certificate against a self signed openssl certificate?
openssl pkcs12 keeps removing the PEM passphrase from keystore's entry?