12
votes

Take a look at PayPal (https://www.paypal.com/) security certificate. It says: Connection Encrypted: High-grade Encryption (TLS_RSA_WITH_AES_256_CBC_SHA, 256 bit keys).

Now, how can I create my self signed certificate to have the same encryption, AES256?
I tried the following code in Openssl:

openssl> req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

I ended up with 128 bit certificate. Then I tried:

openssl> genrsa -aes256 -out key.key 4096
openssl> req -new -key key.key -out cert.csr
openssl> x509 -req -days 365 -in cert.csr -signkey key.key -out cert.crt
openssl> rsa -in key.key -out key.key

Even if I specified '-aes256', I ended up again with a 128 bit certificate: Connection Encrypted: High-grade Encryption (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 BIT KEYS).

So, what did I do wrong and can you tell me how to create that 256 certificate? Thanks for help!

2
You have a certificate with a 4096 bit RSA key. There is no sense is going higher than that. Which symmetric encryption will be chosen by SSL depends only on what the server/client support, not on the key size of the certificate. You need to fix the server config, not the certificate.CodesInChaos
CodesInChaos was right. I should have edited the configuration of the server.<br> I added this line in apache config and it worked: <b>SSLCipherSuite AES256-SHA</b>.user3284653

2 Answers

7
votes

CodesInChaos was right. I should have edited the configuration of the server. I added the SSLCipherSuite line in Apache config and it worked:

SSLCipherSuite AES256-SHA
0
votes

Common misunderstanding, SSL certificates don't dictate cipher strength a web site uses, the Web server SSL configuration does. There are two types of Certificates, signed with RSA or EC. If you want to use SSL Ciphers with ECDH, then you need an EC signed cert, otherwise RSA certs will only be able to use RSA ciphers.