Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones

[Matti Nykyri <matti.nykyri@iki.fi>]

On Apr 16, 2014, at 13:52, Tanstaafl <tanstaafl@libertytrek.org> wrote:

> Hi all,
> 
> I've taken this opportunity to prod the boss to let me buy some real certs for our few self-hosted mail services. Until now, we've used self-signed certs.
> 
> My question is, what exactly is the correct procedure for doing this?
> 
> Also, do I still need to do the step I've been seeing:
> 
> Step: 2
> 
> Delete SSL key set
> 
>    Now, make out a list of websites that are equipped with SSL
>    certificates.
>    After that, delete all SSL keys, private and CSR key
>    Finally, create a new private key and CSR key for each of your
>    website. However, remember that your keys should be of 2048-bit key
>    length.
> 
> ?
Depends on your security model. RSA 2048-bit should be sufficient for most people. Although it is totally possible to create 16384-bit key. Just remember to use random data and a trust worthy keygenerator. They both have been know to be tampered by some agencies :)

> 
> Or will simply replacing my self-signed certs with the new real ones be good enough?

No it will not. Keys are te ones that have been compromised. You need to create new keys. With those keys you need to create certificate request. Then you send that request to certificate authority for signing and publishing in their crl. When you receive the signed certificate you can start using it with your key. Never send your key to CA or expect to get a key from them.

There are also other algorithms the RSA. And also if you wan't to get PFS you will need to consider your setup, certificate and security model.

-- 
-Matti