Org glite security trustmanager updating keymanager
As of 2012, a 2048-bit RSA signature with an exponent of 65537 expiring yearly is acceptable.When rotating keys, you should check for recommendations from an authority (such as NIST) about what is acceptable.Similar to a server, a CA has a certificate and a private key.When issuing a certificate for a server, the CA signs the server certificate using its private key.The client can then verify that the server has a certificate issued by a CA known to the platform.
It's possible that an application might use SSL incorrectly such that malicious entities may be able to intercept an app's data over the network.
There are several downsides to this simple approach.
Servers should be able to upgrade to stronger keys over time ("key rotation"), which replaces the public key in the certificate with a new one.
As part of the handshake between an SSL client and server, the server proves it has the private key by signing its certificate with public-key cryptography.
However, anyone can generate their own certificate and private key, so a simple handshake doesn't prove anything about the server other than that the server knows the private key that matches the public key of the certificate.