Hello
What is the best! security & Performance For key size for the intercept SSL?
I know the height of the key size such as RSA(4096 Bits) Best security. But there is no server that uses this size for encryption and decryption. Although security is important but we must also pay attention to performance; a secure service that does not satisfy performance criteria will no doubt be dropped. See: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices.
My question specifically, When intercepting SSL Certificates intercepted are signed by the root certificate, The root certificate will be a key size RSA(2048 Bits) or RSA(4096 Bits). Now FortiOS 5.4.8 & 5.6.3 Uses a certificate by default (Fortinet_CA_SSL) size RSA(2048 Bits) but i want use root certificate RSA(4096 Bits) Because it's better security and longer time to use and deploy to a large enterprise. If used root certificate RSA(4096 Bits) Is that affects performance or the client?
I do not understand well what happens when intercepting SSL. I know inspect HTTPS traffic operate by acting as transparent proxies. They terminate and decrypt the client-initiated TLS session, analyze the inner HTTP plaintext, and then initiate a new TLS connection to the destination website. See page2: https://zakird.com/papers/https_interception.pdf.
But when encryption between the client and the firewall, Is the server key or root key used?
Symantec recommends that customers use RSA keys of size 2048 bits or higher, or Elliptic Curve keys on curves of size 224 bits or higher. See page 13: https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/10000/DOC10...
Apple Root Certificates uses RSA(4096 Bits) see: Apple Root CA - G2 Root Certificate and Also Amazon and Comodo and others.
I will use Root certificate with key size RSA(4096 Bits) with The signature algorithm SHA 384. And not RSA keys of size 2048 bits with SHA 256.
Is this better, does it affect performance or client ? And why?
Please answer of experts what is the best?
Appreciate your help.
Regards,
Ziyad
But when encryption between the client and the firewall, Is the server key or root key used?
The CA root-key is never exposed to the client. The root-key used during the signing and validation of the issued-certificate.
The SSLclient is going to negotiate master-key for the session and only by the public-key of the web server for example.
issuing a certificate from a RootCA that use 4Kbits or more is not going to make your more protected or less.
As far as CA that uses 4096 they are few but they do exist. I would way the needs of what you think you need and performance.
run opens speed and select various key sizes and you we se the "longer" times
e.g
openssl ssl sped rsa2048
vrs
4098
or even 1024
Check out a previous blog on examples of running comparisons
http://socpuppet.blogspot...ssl-trick-2-stime.html
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1748 | |
1114 | |
765 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.