Talk:OpenSSL

From ArchWiki
Revision as of 16:08, 15 May 2015 by ITwrx (talk | contribs) (updates/modifications suggestions: new section)
Jump to: navigation, search

openssl has a default key size of 512 which is not recommended, nowadays CA only accepts 2048 and above

updates/modifications suggestions

While the effort that went into this article is much appreciated, it seems it's a little out of date and the format/organization might could be improved. The example /etc/ssl/openssl.cnf doesn't match current default file which can make things confusing to newcomers. Also, trying to have the reader make in-depth customizations/disections to /etc/ssl/openssl.cnf might not be the best approach. It seems to me that one could show seperate explanations and configs for use cases/needs so readers could simply pick their use case, follow instructions and copy and paste one of the separate config files, if needed. Also, i experienced various issues trying to use current instructions and ended up making minor tweaks to /etc/ssl/openssl.cnf and running CA.sh to create my CA and cert, so the current artical may be currently, technically broken.

after overview, package info, etc...

use cases:

self signed cert: list uses and drawbacks. list steps to implement.

create cert request for supplying to CA's: basic description and list steps to implement. including copy of appropriately configured /etc/ssl/openssl.cnf

create local ca, create req, key, and cert and sign cert with said ca: description/uses and list steps to implement. either appropriately configured /etc/ssl/openssl.cnf and Makefile or instruct on using CA.sh/CA.pl scripts with /etc/ssl/openssl.cnf. If /etc/ssl/openssl.cnf + Makefile method, maybe a note on managing diff versions of /etc/ssl/openssl.cnf for the use cases using alt cnf file names. This way all three implementations could be achieved when needed from same server without having to redo everything. include note on postfix needing unencrypted key and how to get both encrypted and unencrypted results with whichever method is chosen. I decrypted key after generating with CA.sh, as i wasn't sure how to create unencrypted key using CA.sh script and was out of time/patience for more research.

I'm not a openssl expert and am brand new to wiki editing so i wasn't sure how best to help get this updated/modified. Any comments/suggestions by Arch elders/other end users are appreciated.