SSL Certificate Renewal

Thanks for the reply, i noticed my LTM has a "Renew" button.

Yeah, that's just to create a new CSR for the existing keypair.

 

 

Personally I never use it. generating a new keypair is a good way to ensure that your keys are harder to compromise via old hardware (e.g. The HD's and tapes where you store your backups), plus your older keys would probably be of a shorter length. 2048 should be the minimum nowadays... IIRC 1024 was very close to being broken last time I looked.

 

I think that they are working on 1024. We got a notification from our CA in Jan 2010 stating that the 768 bit RSA encryption has been compromised.

 

 

This is an portion of the Notification:

 

You may have read recently in the news that 768 bit RSA encryption has now been compromised. While the operation took an immense amount of computing power and several terabytes of data, most industry experts agree that it is only a matter of time before 1024 bit RSA encryption is compromised. Some guess that it will take several years but others think the crack may come within a few.

 

Microsoft and other browsers are starting to implement restrictions on key sizes so that 1024 bit RSA encryption is phased out before this compromise happens. Certificate Authorities must comply to this policy in order to continue to be embedded into the browsers.

 

 

The default key size on v9.4.x is 1024 I believe. I'd recommend the same thing that Hamish did....generate manually and up your encryption to 2048.