6

I'd like to know how to make a decent Certificate Signing Request (CSR) to secure my website and e-mail with a wildcard SSL certificate. With recent exploits as POODLE on SSLv3 and such, I'd like to know how to make a decent Certificate Signing Request to make a valid (and very secure) certificate and order one. I'd love to have a high bits key (at least 2048 bits, 4096 bits if possible). I know where to order, but I would like some more advice on creating the request.

Can someone give more advice on how to make one and on why chosen for those options?

Thanks!

boflynn
  • 111
  • 4
user3581249
  • 63
  • 1
  • 3
  • 2
    POODLE does not effect certificates. You can generate a certificate on your own, [Via OpenSSL for example](https://www.openssl.org/docs/HOWTO/certificates.txt). Then you need to submit your public key for signing via a CSR to a Certificate Authority like [DigiCert](https://www.digicert.com/csr-creation.htm) or [VeriSign](https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR235). Or you can buy an SSL certificate for your site via one of those services. – RoraΖ Oct 29 '14 at 20:15
  • Take a look at the excellent blogpost at https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/ – void_in Oct 30 '14 at 04:53

1 Answers1

7

When you create the Certificate Signing Request, you simply need to specify what level of encryption you desire.

For example, for 2048-bit:

openssl req -new -newkey rsa:2048 -nodes -out Test.csr -keyout Test.key

There are a bunch of tools here that will tell you what command to use based on your Operating System and requirements: https://www.digicert.com/csr-creation.htm

When submitting your CSR, make sure you are getting a SHA-2 certificate, as SHA-1 will soon be obsolete.

For protecting against POODLE, as raz mentioned, it is not about the certificates installed. It is up to how you allow your server to authenticate encrypted communication. All versions of SSL need to be disabled on your server to force authentication over TLS instead.

  • For Some examples of programs to help You generate a CSR see http://security.stackexchange.com/a/89321/63999 – LvB May 26 '15 at 17:02
  • You should use the `-sha256` flag, for example, if you want to generate a SHA-2 CSR. –  May 26 '15 at 17:05