Install Let’s Encrypt SSL Certificate for CWP Server Hostname/FQDN

create cwp server SSL certificate

I am going to show you the easy steps to install Let’s Encrypt SSL Certificate for your Server Hostname/FQDN on your CentOS Web Panel dashboard.

Go to Server Settings > Change Hostname in the left menu of the cwp.admin

  1. Enter the hostname
  2. Set key size (2048 or 4096)
  3. Choose services for SSL certificate installation
  4. Save by pressing the Change Hostname button

This will also generate a new free auto-SSL certificate and get it installed (if you have a valid and working A record set for it.

If you need to manually change the certificate, you can simply edit this files hostname.cert and hostname.key

2028 or 4096 Key Size?

You’re probably already aware that with a 4096 bit key:

  • There’s an increase in encryption strength.
  • The SSL handshake at the start of each connection will be slower.
  • There’s an increase in CPU usage during handshakes.

Algos like RSA (unfortunately) don’t double in strength when you add a single bit.

2048 bit RSA key has a strength of 112 bits: i.e., there are theoretically 2112 possibilities to crack the private key.

Security Strength RSA key length
<= 80 1024
112 2048
128 3072
192 7680
256 15360

Measuring the increased load on the server

Bigger RSA key sizes may slow down handshaking from the users point of view. On a Mac or Linux machine you can get some time taken to sign a 2048 bit RSA vs 4096 bit RSA with the openssl speed rsa command:

                  sign    verify    sign/s verify/s
rsa  512 bits 0.000210s 0.000014s   4772.1  69667.5
rsa 1024 bits 0.000727s 0.000035s   1375.3  28508.9
rsa 2048 bits 0.003778s 0.000092s    264.7  10899.5
rsa 4096 bits 0.022637s 0.000305s     44.2   3275.4

Looking at the results, it’s pretty clear:

4096 bit handshakes are indeed significantly slower in terms of CPU usage than 2048 bit handshakes.

But secure file transfer protocols like HTTPS, FTPS, or SFTP normally use RSA keys only during the start of the connection, when they’re used in encrypting the symmetric keys. Once you start transmitting the data, it’s going to be the symmetric keys that are going to be used in the subsequent encryption processes.

So, the performance hit due to a 4096-bit key will only be felt within a small fraction of the entire file transfer session. Of course, if your server carries out a large number of concurrent file transfers, then the performance hits can add up.

Acceptability

Per NIST, RSA keys that are 2048 bits long are good until 2030.

Security Strength Through 2030 2031 and beyond
< 112 Disallowed Disallowed
112 Acceptable Disallowed
128 Acceptable Acceptable
192 Acceptable Acceptable
256 Acceptable Acceptable