William Chan's blag

Configuring SSL – I Have No Idea What I’m Doing

When I first set up this server, I went to StartSSL to get a certificate. Not having done this ever before, I made a number of errors. First, I had StartSSL generate my private key for me. Probably a bad idea, I hope they don’t record that :P Second, I had them generate a 4096 bit key rather than a 2048 bit key. I had figured, the bigger the better, right? Well, in load testing this wimpy micro EC2 server, I found that the majority of the CPU usage is in nginx, and I have to imagine that it’s in the SSL handshake. Oops. I should have read this Stack Overflow thread first I guess. I went to revoke my certificate today, but apparently they charge $25 per revocation. Oh well, I don’t expect much traffic anyway, and I’ll just change it when my certificate expires in a year. Lesson learned.