SecurityEngineering/x509Certs: Difference between revisions

SecurityEngineering/x509Certs (view source)

Revision as of 00:05, 5 August 2014

16 bytes added , 5 August 2014

m

→‎Running your Own CA

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 39: / Line 39: @@
 = Running your Own CA =
-This isa little more complicated. It has requires building 3 certificates: a long term root cert, a medium tem intermediate and a short term end-entity cert. The reason for this is that allows us to have a relatively simple long term root to be distributed to clients and some flexibility on the intermediate so that we can change parameters if security research indicates so.
+If you are going to have your own CA, we recemmend building 3 certificates: a long term root cert, a medium term intermediate cert, and a short term end-entity cert. This type of hierarchy allows for a relatively simple long term root to be distributed to clients, and some flexibility on the intermediate cert so that you can change parameters based on best practices and security research.
 == Generate your CA Root ==
 We assume you are the domain owner of *.example.com and *.example.net. Update the values below to match your domains. We also assume that this computer is NOT connected to the internet.<br />
@@ Line 91: / Line 91: @@
 . Intermediate sings the csr (using SHA256) and appends the extensions described in the file <br/>
 :"openssl x509 -req -sha256 -days  1096 -in  example.csr -CAkey intkey.pem  -CA int.pem -set_serial  $SOME_LARGE_INTEGER -out www.example.com.pem  -extfile openssl.int.cnf"
 =Security Notes =
 There are several organizations that try to find recommendations regarding the security parameters for key/hash sizes given current computational power. For the end date of our root cert (2017). These are the recomendations of bit sizes (from http://www.keylength.com/ ) by: