Are there any disadvantages to using a 4096-bit encrypted SSL certificate?

SslHttpsCertificateSsl Certificate

Ssl Problem Overview

I was recently requesting a SSL cert via GoDaddy and noticed this message:

Make sure the CSR you generate uses a 2048-bit or greater key length

In the past I have always generated 2048-bit CSR requests, but this time it got me thinking that perhaps I should "step it up," and it seems like the next step would be a 4096-bit version.

There isn't much info available on 4096-bit SSL certs - but apparently many people have been using 1024-bit certificates until they absolutely had to upgrade and now some browsers won't support the 1024-bit certificates anymore.

How is browser support for 4096-bit certificates? If GoDaddy requires "at least" a 2048-bit certificate, is that enough, or should I try and do something more? If so, what are the advantages and disadvantages?

PS: the two links in GoDaddy's message are CSR Help and Learn more, neither of which I found very helpful.

Ssl Solutions

Solution 1 - Ssl

Pretty much all* browsers will support 4096-bit keys. The issue you'll run into is that key exchange is slower with larger keys, which will increase load on the server and slow down page loading on the client.

2048-bit keys are generally considered safe for the time being. If you want an intermediate step, though, 3072-bit keys are right smack-dab in the middle.

*: Only exception might be a couple of weird, old mobile / embedded browsers.

Solution 2 - Ssl

If you are going to use Amazon CloudFront, they only supports up to 2048 bit keys as of today.

References:

Solution 3 - Ssl

If you have a 4096 bit SSL certificate, in order to support some clients (especially Java-based clients and some older clients) you will want to generate a 2048 bit or 1024 bit Diffie-Hellman Key and add it to your server certificate. However, if you support a 1024 bit DH key you should also be aware of the Logjam attack. You can accommodate these clients easily by adding a DH key of the appropriate size, but first carefully consider which clients you want to support.

Solution 4 - Ssl

Hi sorry for answering SOOO OLD thread, but the main point in "NOT" creating 4096 cert is, your CA cert will be 2048, so creating sub cert 4096 is pointless... when even having 2049 bit long cert will make attacker attack your CA cert instead yours.

Categories
Recommended Ssl Solutions
Recommended Https Solutions
Recommended Certificate Solutions
Recommended Ssl Certificate Solutions

Previous Solution:

Adding text (just text!) to a form in Drupal 7

FormsApiDrupalDrupal 7Drupal Forms

Next Solution:

node.js displays "undefined" on the console

Javascriptnode.jsConsoleUndefined

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestioncwdView Question on Stackoverflow
Solution 1 - Ssluser149341View Answer on Stackoverflow
Solution 2 - SsltnjView Answer on Stackoverflow
Solution 3 - SslvallismortisView Answer on Stackoverflow
Solution 4 - SslBiG_NoBoDyView Answer on Stackoverflow