Univention Bugzilla – Bug 37621
Improve defaults for root certificate private key
Last modified: 2016-07-21 15:16:06 CEST
Most of the private key options are hardcoded in make-certificates.sh: > openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048 It should be possible to configure: 1. key encryption algorithm I think we should default to '-aes256' instead of '-des3'. As far as I know there's yet nothing wrong with 3DES except that it is really slow compared to AES. 2. key length: 2048 bits might be enough for today, but who knows if that's still the case in 5 years (default UCS-CA validity) 3. key algorithm we should consider supporting ECDSA keys (instead of / additionally to RSA) in the near future
Created attachment 7176 [details] Change key encryption and default bits for root-CA private key
(In reply to Michael Grandjean from comment #0) > 2. key length: > 2048 bits might be enough for today, but who knows if that's still the case > in 5 years (default UCS-CA validity) This was implemented through Bug #30545 commit r54455: URCV ssl/default/bits
(In reply to Michael Grandjean from comment #0) > 1. key encryption algorithm > I think we should default to '-aes256' instead of '-des3'. As far as I know > there's yet nothing wrong with 3DES except that it is really slow compared > to AES. r70651 | Bug #37621 SSL: Make cipher for root CA configurable > 3. key algorithm Not yet supported; waiting for request by customer. Package: univention-ssl Version: 10.0.0-15.172.201606271746 Branch: ucs_4.1-0 Scope: errata4.1-2 r70655 | Bug #41230,Bug #38903,Bug #37621 SSL: YAML univention-ssl.yaml
Code review: OK Tests: OK Advisory: Added description of new default.
<http://errata.software-univention.de/ucs/4.1/213.html>