Change of key size of the default certificate authority

I am curious whether someone of you would be interested in an larger key for a certificate authority used by Nethserver… currently, the default key is 2048 bits (which is secure at the moment but…).

it seems however to be not so easy to change the default certificate authority’s key… (some problems which I had are described in this post Distinction between LAN and VPN in fail2ban)

I circumvented that problem by creating the certificates manually via openssl… in my case, particularly for openVPN…

is anyone other interested to have such a feature?

It shouldn’t be that hard.

We need to add a new prop under the pki key, and honor it inside this script: /usr/libexec/nethserver/pki-genkey.

If you want to try, I will gladly review the PR!

1 Like

Thank you!!! Just generated a 4096 bit key via usr/libexec/nethserver/pki-genkey… I removed the old NSRV key and the certificate (I don’t use them anyway…).

However, I have don’t know how to use the new NSRV key for signing a certificate for the certificate authority. ` /usr/libexec/nethserver/pki-gencrt -s

pki-gencrt: Generate NethServer default certificate
from OrganizationContact key in configuration
database.

Usage:
pki-gencrt [-s] [-f ] [-h]

-s Print the certificate subject line
-f Set output to (Default is /etc/pki/tls/certs/NSRV.crt)
-h this help

[root@assa ~ ]# pki-genkey -s
-bash: pki-genkey: command not found`

of course, I can do it by hand, but the script looks good in principle… do you have any idea what I do wrongly?

For key generation using elliptic curve cryptography, one has just to replace line 34 of the /usr/libexec/pki-gen file into /usr/bin/openssl ecparam -genkey -name secp521r1 -out "${PRIVATE_KEY}" &>/dev/null
(tested!)

certainly you can also use any other named curve supported by openssl… :wink: