Which encryption AES/DES should i use for private key for ssl certificate? [closed]

Question

I've just bought comodo essential wildcard certificate, they asked me to generate csr to activate it.

As i understood, i need to:

1. Generate RSA 2048bit private key
2. Generate CSR based on it

As i see, openssl genrsa command accepts different encryption params:

• -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
• -aes128,
• -aes192,
• -aes256

What should i use?

Answer 1

The encryption param of openssl genrsa command is used to specify which algorithm to use for encrypting your private key (using the password you specify).

CSR (Certificate Signing Request) includes your public key and some additional public information to be included into certificate. CSR never includes a private key.

So, choice of algorithm for encrypting the private key is completely unrelated to CSR. Choose whatever you prefer. AES variants and Triple-DES (-des3) should be preferred; plain DES is usually considered not secure these days. Also see why AES is more secure than DES. But I think algorithm choice in this particular case is not as important as using a strong password and protecting it.

Note: remember that if you protect your private key with a password, you will be prompted to enter the password every time you want to access the private key, such as when starting your web server. If you forget the password, your private key is effectively lost and you must generate a new key and request a new certificate. You could generate a private key without encryption (without password): openssl genrsa -out filename.key 2048. It is also possible to remove the password (effectively, store it unencrypted) at any time using command like this: openssl rsa -in encrypted.key -out unencrypted.key. You’ll need the password for that (you will be prompted to enter it).