Hello,
I have self-hosted standard installation of Ghost. The installation process generated 2048 bit certificate. How do I replace it with 3072 bit key?
I uderstand that ghost-cli is using acme.sh to manage certificates and I should probably force renewing certificate with parameter --keylength 3072. I’m unsure however how to exacly do that. Any advice? Is there a list of commands ghost-cli is doing to setup certificate in the first place?
Hello,
I’m not a Ghost-CLI developer but I don’t think that’s possible right now with Ghost-CLI directly.
For the moment and for “normal” usage, using a RSA certificate 2048-bit is a good compromise between performance and security (because it should not be forgotten that more larger the key is and more load time is for each https request), so i think that’s why the installation process generated a 2048-bit certificate for the domain used by ghost by default.
For information:
RSA 2048-bit will not be recommended past 2030 (from NIST Special Publication 800-57) and according to NSA and ANSSI, RSA with 3072 bit-modulus is the minimum to protect up to TOP SECRET.
Given this, I think that even if you only use a 2048-bit rsa certificate for your blog you are “in the standard” for the security of your https communications.
Chart from NIST Special Publication 800-57:
In add, as you indicate that you are in self-hosting, if you still want to increase your security level you can very well use acme.sh (or certbot) on your server (if you are in VPS/VDS or dedicated server) to generate your keys and certificate RSA 3072-bit or even 4096-bit and configure your Nginx or Apache to use it.
Thanks for explanation. Using acme would be fine for me as long as it works for ghost. I generated 3072 RSA private key and csr. How do I generate certificate chain using acme?
Hello,
Personally I don’t use acme.sh but another letsencrypt client.
However, here is how to proceed below with a few steps to generate its letsencrypt certificate for a domain using its own CSR certificate created from a 3072-bit RSA key.
If not done, don’t forget to create the acme folder and the good permission:
mkdir -p /var/www/html/.well-known/acme-challenge/
chown -R www-data:www-data /var/www/html/.well-known/acme-challenge/
Use correct permission for your key :
chmod 600 /path/mydomain.key
In your ‘server’ context in your NGINX configuration file you must have (or similary config to autorize access to acme-challenge):
location ^~ /.well-known/acme-challenge/ {
allow all;
auth_basic off;
default_type “text/plain”; }
Verify that your CSR is valid for acme:
acme.sh --showcsr --csr /path/to/mycsr.csr
Generate Letsencrypt certificate with your CSR file :
acme.sh --signcsr --csr /path/to/mycsr/csr -d domain.name -w /home/wwwroot/domaine.name
–signcsr is used with parameters are same as --issue command
So i think if you want you could also generate a letsencrypt certificate with a RSA key 3072-bit like this:
acme.sh --issue -d domain.name -w /home/wwwroot/domaine.name -k 3072
but in this case it’s not ‘your private key’ it’s a private key generate by acme.sh
After generate letsencrypt certificate, you reveive 3 files like this:
0000_cert.pem 0000_chain.pem 0001_chain.pem
You must use the “0001_chain.pem” (often rename this file to fullchain.pem) because
fullchain.pem contains both the intermediate certificate and the end-entity certificate.
You must add your private key and the fullchain cert in your NGINX configuration.
That can look like this:
server {
listen 443 ssl;
server_name www.mydomain.com mydomain.com;
ssl on;
ssl_certificate /path/to/mydomain.crt;
ssl_certificate_key /path/to/mydomain.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ‘HIGH:!aNULL:!MD5:!kEDH’;
}
If you use Apache, that can be:
Listen 443
<VirtualHost *:443>
ServerName www.mydomain.com
ServerAlias mydomain.com
SSLEngine on
SSLCertificateFile “/path/to/mydomain.crt”
SSLCertificateKeyFile “/path/to/mydomain.key”
SSLCipherSuite HIGH:!aNULL:!MD5
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
After this you do restart web server service and it’s done.
Regards.
@gh0-0st great answer, thank you! I use standard stack so will do this with nginx once I sort out other issues.
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.