Increase Certbot Encryption Strength

makerbiles6 · June 6, 2020, 7:01am

I currently have certbot installed and functioning properly. I’m wondering, how would I go about configuring it to issue certificates with stronger than 128 bit keys? Not that I think they’re really necessary, I’m just curious. It’s been a while since I set it up, but best of my recollection, that was never an option it asked for input on.

_az · June 6, 2020, 7:24am

With “128 bit keys”, that refers to the size of the TLS session key. 128 bits of security (how that relates to key size varies by stream cipher) is considered more than enough for modern security.

Your certificate doesn’t determine or limit what the type, or size of this key is. That’s purely a negotation between the webserver and the browser. The only thing that influences that is the ciphersuite configuration of the webserver, and what the overlap with the client’s supported ciphersuites are. You can make sure you have the best ciphersuites configured by using something like https://ssl-config.mozilla.org.

Where your certificate key size does come into play is during the negotiation of that TLS session key. The stronger your key is, the harder it is for an attacker to interject into the key exchange process and figure out what the session key is.

To that end, you can increase the strength of your certificate’s private key. With Certbot, for example, you could increase the size from the default of 2048-bits:

--rsa-key-size 4096

But keep in mind that key exchange involving 4096-bit key is noticably slower than for a 2048-bit key, especially for very weak devices like old smartphones.

JuergenAuer · June 6, 2020, 7:39am

Hi @makerbiles6

browsers support only 4 versions:

RSA with 2048 / 4096 bytes.

EC with 256 / 384 bytes.

So it’s not only a question of Letsencrypt / the certbot client, it’s more a question of the browser and server support.

If you want to have smaller certificates, switch to EC.

schoen · June 8, 2020, 7:02am

We should also note that there's no evidence that there are currently any attackers who are able to perform this attack against 2048-bit RSA keys.

(@_az's explanation and analysis are totally correct, but a reader might get the mistaken impression from "the harder it is" that there's currently somebody for whom it's not that hard. As far as we know, it's pretty darn hard for everybody in the world at the moment.)

system · July 8, 2020, 7:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to generate 128 bit Lets encrypt certificate using Certbot Help	13	4904	September 10, 2018
Wrong bit length Help	8	831	June 16, 2023
RSA keysize limited fo 4096 with certbot for any reason? Client dev	2	1658	August 18, 2018
Need advise expanding cert with key-size Help	12	13948	March 6, 2017
Can I increase the Key Exchange and Cipher Strength I'm using for a 100% score on SSLabs? Help	23	5695	January 17, 2021

Increase Certbot Encryption Strength

Related topics