SSL with 3072 bit key


#1

Hello,
I have self-hosted standard installation of Ghost. The installation process generated 2048 bit certificate. How do I replace it with 3072 bit key?
I uderstand that ghost-cli is using acme.sh to manage certificates and I should probably force renewing certificate with parameter --keylength 3072. I’m unsure however how to exacly do that. Any advice? Is there a list of commands ghost-cli is doing to setup certificate in the first place?


#2

Hello,

I’m not a Ghost-CLI developer but I don’t think that’s possible right now with Ghost-CLI directly.

For the moment and for “normal” usage, using a RSA certificate 2048-bit is a good compromise between performance and security (because it should not be forgotten that more larger the key is and more load time is for each https request), so i think that’s why the installation process generated a 2048-bit certificate for the domain used by ghost by default.

For information:
RSA 2048-bit will not be recommended past 2030 (from NIST Special Publication 800-57) and according to NSA and ANSSI, RSA with 3072 bit-modulus is the minimum to protect up to TOP SECRET.

Given this, I think that even if you only use a 2048-bit rsa certificate for your blog you are “in the standard” for the security of your https communications.

Chart from NIST Special Publication 800-57:

In add, as you indicate that you are in self-hosting, if you still want to increase your security level you can very well use acme.sh (or certbot) on your server (if you are in VPS/VDS or dedicated server) to generate your keys and certificate RSA 3072-bit or even 4096-bit and configure your Nginx or Apache to use it.


#3

Thanks for explanation. Using acme would be fine for me as long as it works for ghost. I generated 3072 RSA private key and csr. How do I generate certificate chain using acme?


#4

Hello,

Personally I don’t use acme.sh but another letsencrypt client.

However, here is how to proceed below with a few steps to generate its letsencrypt certificate for a domain using its own CSR certificate created from a 3072-bit RSA key.

If not done, don’t forget to create the acme folder and the good permission:

mkdir -p /var/www/html/.well-known/acme-challenge/
chown -R www-data:www-data /var/www/html/.well-known/acme-challenge/

Use correct permission for your key :

chmod 600 /path/mydomain.key

In your ‘server’ context in your NGINX configuration file you must have (or similary config to autorize access to acme-challenge):

location ^~ /.well-known/acme-challenge/ {
allow all;
auth_basic off;
default_type “text/plain”; }

Verify that your CSR is valid for acme:

acme.sh --showcsr --csr /path/to/mycsr.csr

Generate Letsencrypt certificate with your CSR file :

acme.sh --signcsr --csr /path/to/mycsr/csr -d domain.name -w /home/wwwroot/domaine.name

–signcsr is used with parameters are same as --issue command

So i think if you want you could also generate a letsencrypt certificate with a RSA key 3072-bit like this:

acme.sh --issue -d domain.name -w /home/wwwroot/domaine.name -k 3072

but in this case it’s not ‘your private key’ it’s a private key generate by acme.sh

After generate letsencrypt certificate, you reveive 3 files like this:
0000_cert.pem 0000_chain.pem 0001_chain.pem

You must use the “0001_chain.pem” (often rename this file to fullchain.pem) because
fullchain.pem contains both the intermediate certificate and the end-entity certificate.

You must add your private key and the fullchain cert in your NGINX configuration.
That can look like this:

server {
listen 443 ssl;
server_name www.mydomain.com mydomain.com;
ssl on;
ssl_certificate /path/to/mydomain.crt;
ssl_certificate_key /path/to/mydomain.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ‘HIGH:!aNULL:!MD5:!kEDH’;
}

If you use Apache, that can be:

Listen 443
<VirtualHost *:443>
ServerName www.mydomain.com
ServerAlias mydomain.com
SSLEngine on
SSLCertificateFile “/path/to/mydomain.crt”
SSLCertificateKeyFile “/path/to/mydomain.key”
SSLCipherSuite HIGH:!aNULL:!MD5
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on

After this you do restart web server service and it’s done.

Regards.


#5

@gh0-0st great answer, thank you! I use standard stack so will do this with nginx once I sort out other issues.