Skip to content
Browse files

Increase SSL private key from 512 to 1024 bits.

At Nicira, we are experimenting with the idea of converting XAPI SSL keys to SSH keys.  In some cases this might be convenient for giving XenServers access to remote resources without distributing a second set of keys.

OpenSSH, however, refuses to accept RSA keys shorter than 768 bits for use in authentication.  So this change is necessary, to make XAPI generate keys longer than the current default of 512 bits.

Additionally, RSA says "512-bit keys no longer provide sufficient security for anything more than very short-term security needs"
(, so this change seems like a good idea in any case.

Increasing the key length makes generating the key at installation time take a bit longer, but the difference is not significant:
on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl genrsa 1024" takes about 100 ms.

Signed-off-by: Ben Pfaff <>
  • Loading branch information...
1 parent b93249c commit 601969fcd3dffc9c87852c43d6536987626c5b8d @blp blp committed
Showing with 1 addition and 1 deletion.
  1. +1 −1 scripts/generate_ssl_cert
2 scripts/generate_ssl_cert
@@ -33,7 +33,7 @@ distinguished_name = dn-param
CN = ${CN}
-openssl genrsa > privkey.rsa
+openssl genrsa 1024 > privkey.rsa
openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config config -out cert.csr
openssl dhparam 512 > dh.pem

0 comments on commit 601969f

Please sign in to comment.
Something went wrong with that request. Please try again.