Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are there any disadvantages to using a 4096-bit encrypted SSL certificate?

Tags:

certificate

https

ssl

ssl-certificate

People also ask

How secure is 4096 bit?

Security researchers have successfully broken one of the most secure encryption algorithms, 4096-bit RSA, by listening — yes, with a microphone — to a computer as it decrypts some encrypted data. The attack is fairly simple and can be carried out with rudimentary hardware.

What is 4096 bit SSL certificate?

A 4096 bit key does provide a reasonable increase in strength over a 2048 bit key, and according to the GNFS complexity, encryption strength doesn't drop off after 2048 bits. There's a significant increase in CPU usage for the brief time of handshaking as a result of a 4096 bit key.

Is 2048 bit encryption secure?

A 2048-bit RSA key provides 112-bit of security. Given that TLS certificates are valid for two years maximum (soon to be decreased to one), 2048-bit RSA key length fulfills the NIST recommendation until late in this decade.

Who uses 2048 bit encryption?

Fortunately, companies like Google, that also have a high internet presence, are recognizing the potential problems and taking steps to address them. One such solution is 2048-bit encryption.

Pretty much all* browsers will support 4096-bit keys. The issue you'll run into is that key exchange is slower with larger keys, which will increase load on the server and slow down page loading on the client.

2048-bit keys are generally considered safe for the time being. If you want an intermediate step, though, 3072-bit keys are right smack-dab in the middle.

*: Only exception might be a couple of weird, old mobile / embedded browsers.


If you are going to use Amazon CloudFront, they only supports up to 2048 bit keys as of today.

References:

  • Having trouble associated SSL cert with Amazon Cloudfront
  • SSL certs with keys larger than 2048 bits?

If you have a 4096 bit SSL certificate, in order to support some clients (especially Java-based clients and some older clients) you will want to generate a 2048 bit or 1024 bit Diffie-Hellman Key and add it to your server certificate. However, if you support a 1024 bit DH key you should also be aware of the Logjam attack. You can accommodate these clients easily by adding a DH key of the appropriate size, but first carefully consider which clients you want to support.


Hi sorry for answering SOOO OLD thread, but the main point in "NOT" creating 4096 cert is, your CA cert will be 2048, so creating sub cert 4096 is pointless... when even having 2049 bit long cert will make attacker attack your CA cert instead yours.

Related questions

What are the best practice for domain names (dev, staging, production)?
How can I set up Jenkins CI to use https on Windows?
Difference between DTLS and TLS
How to use TLS 1.2 in Java 6
Verify if curl is using TLS
javax.net.ssl.SSLException: Received fatal alert: protocol_version
Issues with installing python libraries on Windows : CondaHTTPError: HTTP 000 CONNECTION FAILED for url <https://conda.anaconda.org/anaconda/win-64
PHPMailer generates PHP Warning: stream_socket_enable_crypto(): Peer certificate did not match expected
SSL Multilevel Subdomain Wildcard
How to add subject alernative name to ssl certs?
Random "peer not authenticated" exceptions with Java SSLContextImpl$TLS10Context
Which is the default location for keystore/truststore of Java applications?
How to create a https server on localhost
Simple Java HTTPS server
Self-signed SSL Cert or CA? [closed]
HTTPS login with Spring Security redirects to HTTP
How to send an HTTPS GET Request in C#
How to Create Secure(TLS/SSL) Websocket Server
Using JavaMail with TLS
Enabling the OpenSSL in XAMPP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!