Make sure you choose 2048-bit for key size in CSR’s
Recently I had to order a bunch of new SSL certs for work and clients. It had been a couple of years so I didn’t realize Network Solutions and Entrust both require 2048-bit key size for their EV certs. This was no big deal, I just had to modify how I generate the keys. For instance here is how I generated the key on a Linux box:
[root@myhost]# openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr
Notice, the only difference is I had to add “‘-newkey rsa:2048” to my command. I’m not sure if -new is really needed, I’ve always just put it there.
I decided to see why both Entrust and Network Solutions made the change. I probably had seen something about this in the last couple years, but didn’t take notice of it. I found the change was made at the recommendation from NIST in NIST Special Publication 800-57. Specifically this is addressed in Part 3 (pdf link).
Their specific recommendations are show in the table below:
As you can see they recommend all RSA keys after 2010 be at least 2048 bits. I have no problem with this, I was curious as to where the change came from and thought I would post it here.