Home > Security > Make sure you choose 2048-bit for key size in CSR’s

Make sure you choose 2048-bit for key size in CSR’s

November 22, 2010 Leave a comment Go to comments

Recently I had to order a bunch of new SSL certs for work and clients. It had been a couple of years so I didn’t realize Network Solutions and Entrust both require 2048-bit key size for their EV certs. This was no big deal, I just had to modify how I generate the keys. For instance here is how I generated the key on a Linux box:

[root@myhost]# openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr

Notice, the only difference is I had to add “‘-newkey rsa:2048” to my command. I’m not sure if -new is really needed, I’ve always just put it there.

I decided to see why both Entrust and Network Solutions made the change. I probably had seen something about this in the last couple years, but didn’t take notice of it. I found the change was made at the recommendation from NIST in NIST Special Publication 800-57. Specifically this is addressed in Part 3 (pdf link).

Their specific recommendations are show in the table below:

As you can see they recommend all RSA keys after 2010 be at least 2048 bits. I have no problem with this, I was curious as to where the change came from and thought I would post it here.

Advertisements
Categories: Security Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s

%d bloggers like this: