[BlueOnyx:11837] Re: SSL certificate minimum key length issues on BQ5100R
George F. Nemeyer
tigerwolf at tigerden.com
Thu Dec 20 01:25:38 -05 2012
On Wed, 19 Dec 2012, Robb Kinnin wrote:
> Honestly, it's unfortunate that we have to upgrade boxes and OS to just
> renew an SSL.
You don't.
All you need is a box with 'fairly recent' openssl and use that to create
a 2048 bit key:
#openssl genrsa -des3 -out servername.key 2048
Then create a Certificate Signing Request:
#openssl req -new -key servername.key -out servername.csr
You can then self-sign the Request and use the Cert you get until you get
the real one from the Authority:
#openssl x509 -req -days 3650 -in servername.csr -signkey
servername.key -out servername.cert
Then, rename the key containing the password, and again using openssl,
strip the key's password from the key so it will work with the web server.
#mv servername.key servername.key.secure
#openssl rsa -in servername.key.secure -out servername.key
Manually replace your old server key and cert and put the new ones into
the web server's desired locations, and restart the web server.
Just Google 'creating ssl certificate', or some similar phrase, and you'll
find lots of step-by-step instructions.
I recently updated a very ancient 1990's vintage 486 box using this
procedure. It's used for internal use, so we're just doing self signing.
But the key is 2048 bits, and it all works just fine. It took maybe 15
minutes.
=^_^= Tigerwolf
More information about the Blueonyx
mailing list