[BlueOnyx:11838] Re: SSL certificate minimum key length issues on BQ5100R

David Hahn ml at sb9.com
Thu Dec 20 01:50:29 -05 2012 

On 12/19/2012 10:25 PM, George F. Nemeyer wrote:
> On Wed, 19 Dec 2012, Robb Kinnin wrote:
>
>> Honestly, it's unfortunate that we have to upgrade boxes and OS to just
>> renew an SSL.
> You don't.
>
> All you need is a box with 'fairly recent' openssl and use that to create
> a 2048 bit key:
>
>        #openssl genrsa -des3 -out servername.key 2048
>
> Then create a Certificate Signing Request:
>
>        #openssl req -new -key servername.key -out servername.csr
>
> You can then self-sign the Request and use the Cert you get until you get
> the real one from the Authority:
>
>       #openssl x509 -req -days 3650 -in servername.csr -signkey
>           servername.key -out servername.cert
>
> Then, rename the key containing the password, and again using openssl,
> strip the key's password from the key so it will work with the web server.
>
>      #mv servername.key servername.key.secure
>
>      #openssl rsa -in servername.key.secure -out servername.key
>
> Manually replace your old server key and cert and put the new ones into
> the web server's desired locations, and restart the web server.
>
> Just Google 'creating ssl certificate', or some similar phrase, and you'll
> find lots of step-by-step instructions.
>
> I recently updated a very ancient 1990's vintage 486 box using this
> procedure.  It's used for internal use, so we're just doing self signing.
> But the key is 2048 bits, and it all works just fine.  It took maybe 15
> minutes.
>
> =^_^=  Tigerwolf
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
Thank you

=^_^=

I also found this post on the list from Ken:
http://mail.blueonyx.it/pipermail/blueonyx/2011-January/006321.html
Gonna fire up a old box with 5100r on it and try it. His example is for the
admin gui. I would expect it's the same for a vsite.
Thanks all for the help.
looks like all external signing requests will need to be 2048 bits from 
now on
I don't think a external authority will allow anything less..
Thanks Again.

More information about the Blueonyx mailing list