2

I'm looking to generate a privatekey.pem and certificate.pem for authentication in a nodejs server. I know these can be generated via OpenSSL and then saved to a directory, but I also found pem to generate the key and cert on demand.

The answers to this question suggest that either is fine, though more people prefer the OpenSSL way.

Using pem sounds like it's going to be easier, but is there any security reason why I shouldn't generate the key and cert on demand in this way?

Community
  • 1
  • 1
Luke Willis
  • 8,429
  • 4
  • 46
  • 79
  • The only thing I can think of is if you want to use a signed certificate, which would need to be generated by the CA. – Ben Fortune Jul 08 '14 at 14:31
  • @BenFortune Fair enough, but then the question still applies to the private key. – Luke Willis Jul 08 '14 at 14:44
  • Well, for me its more a question of correctness. I know OpenSSL private key generation (and related activity like entropy gathering) has been audited. I don't know about the PEM library. In fact, I did not even see a source code download for the PEM library so I could examine the source code. So the PEM library is on the suspicious list for me. Also, the W3C's [WebCrypto](http://www.w3.org/TR/WebCryptoAPI/) might obsolete some parts of the PEM library. – jww Jul 08 '14 at 17:22

0 Answers0