Generating TLS Keys and Signing Requests¶
Use a trustworthy machine with good entropy to generate TLS keys.
RSA Keys¶
SSL Labs recommends
a key size of 2048 bits for most use cases. They discourage usage of keys
bigger than 3072 bits. Use the following command to generate RSA keys with
openssl
.
# 2048 bit RSA
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out example-rsa.key.pem
# 3072 bit RSA
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out example-rsa.key.pem
ECDSA Keys¶
Most browsers support
secp256r1 (P-256)
and secp384r1 (P-384)
curves. Use the following
command to generate EC keys with openssl
:
# P-256 EC key
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out example-ec.key.pem
# P-384 EC key
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -out example-ec.key.pem
Certificate Signing Request¶
The openssl req
utility can be used to generate certificate signing
requests suitable for certhub
. Note that Let’s Encrypt ignores anything
in the CSR except CN
, subjectAltName
and the OCSP stapling tls feature
flag if present. Adapt the following example to generate a CSR from the command
line without having to craft a openssl.cnf file.
$ openssl req -new -subj "/CN=example.com" \
-addext "subjectAltName = DNS:example.com,DNS:www.example.com" \
-addext "basicConstraints = CA:FALSE" \
-addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \
-addext "tlsfeature = status_request" \ # Remove this line if your TLS server is not configured for OCSP.
-key example-ec.key.pem -out example-ec.csr.pem
In order to inspect any CSR, use the -text
and -noout
flags:
$ openssl req -text -noout -in example-ec.csr.pem