SSL forcing 4096

#1
Hello,

To force 4096-bit RSA, is it enough just to add aat the end '4096 or should be also included -f?

So,
Code:
certbot certonly --non-interactive --agree-tos -m demo@gmail.com --webroot -w /var/www/certbot -d example.com 4096
or
Code:
certbot certonly --non-interactive --agree-tos -m demo@gmail.com --webroot -w /var/www/certbot -d example.com -f 4096
 
#3
Well ... can you please make me more clear?

1) In case of fresh install, it should to look like
Code:
certbot certonly --non-interactive --agree-tos -m demo@gmail.com --webroot -w /var/www/certbot -d example.com --rsa-key-size 4096
Correct?

2) In case of existing installation, it should to look like
Code:
certbot renew --rsa-key-size 4096 --cert-name example.com --force-renewal
Correct?

3) In case of existing installation, future renewals should also to get fix in /etc/cron.d/certbot, or it will be "fixed" by above (number 2) command on first manual renewal?

4) If /etc/cron.d/certbot should be fixed, how it should to look? Now it is as
Code:
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "systemctl restart lsws"
 

Cold-Egg

Administrator
#4
Item 1 looks good to me.
I'm not sure if "--rsa-key-size 4096" is needed for the renewal. You might want to confirm with Let's Encrypt team or forum.
 
Last edited:
Top