Openssl Generate 4096 Bit Key
Jun 18, 2013 RSA Key Sizes: 2048 or 4096 bits? Looking for ZRTP, TLS and 4096 bit RSA in a 100% free and open-source Android app? Many people are taking a fresh look at IT security strategies in the wake of the NSA revelations. Generate a SSL Key File. Firstly you will need to generate a key file. The example below will generate a 2048 bit key file with a SHA-256 signature. Openssl genrsa -out keyname.key 2048. If you want extra security you could increase the bit lengths. Openssl genrsa -out keyname.key 4096.
I'm trying to generate a 4096-bit DH key, but it has taken over 24 hours and the key is still trying to generate. Can I make this faster?
2 Replies
You're probably not generating enough entropy on your guest. Try generating system activity, like writing to the disk.
Dec 30, 2008 First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key: openssl genrsa -out ca.key 4096. Howto: Make Your Own Cert With OpenSSL. Dec 30, 2008 First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key: openssl genrsa -out ca.key 4096. (S/MIME) Howto: Make Your Own Cert With OpenSSL Pingback by SSL Certification Authority on Linux - fereis on-line — Friday 15 May 2015 @ 13:07. May 08, 2013 Here is a variant to my 'Howto: Make Your Own Cert With OpenSSL' method. This time, I needed a signing cert with a Certificate Revocation List (CRL) extension and an (empty) CRL. I used instructions from this post. Adding a CRL extension to a certificate is not.
You can also use a program like haveged. I won't speak of the security implications as that's a much more complicated subject, but you should know there could be some.
Diffie-Hellman keys can take a long time to generate because dhparam requires something known as a strong prime. Strong primes provide little to no security benefit but take a lot of effort to produce.
Instead, you should be using the -dsaparam
option to decrease generation time by avoiding strong prime effort. Here's an example of that:
openssl dhparam -dsaparam -out dhparam2.pem 4096
You can read more about this in the following OpenSSL manpage where you'll find:
-dsaparam
If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, 'strong' primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.
DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.
There's some additional discussion on this topic here, as well:
https://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours