@Lloyd_mcse what is here better 2048 or 4096 generated key? give here performance differences?
@Ankebut,
This question is not easily answered, since a lot of the relevant context is missing.
In general, it is not about 2048 or 4096 bit keys, even though one thing is clear: the 4096 is associated with a (small) performance penalty AND a higher test grade on ssllabs.com.
However, the context consists of much more than the key itself, amongst others:
a) using a Apache + Nginx stack (or a stand-alone Nginx), with the major points of concern being
1 - Nginx can be very secure with HSTS, OCSP and DHE and so on, but this does not say anything about the Nginx to Apache connection: Nginx directives secure Nginx (not Apache),
2 - Apache is accessible from the outside: Apache can be directly accessed, in the sense that the Nginx proxy can be bypassed, implying that a secure Nginx can become ineffective,
but the general advantage of the Apache + Nginx stack is that can apply less strict settings for the Apache to Nginx connections, as long as Nginx is secure enough.
And with respect to the point of concern involving the direct access to Apache (see point 2 above), one can mitigate this problem by simply using caching mechanisms and/or settings that allow (on the one hand) browser caching and/or (on the other hand) direct serving of static files via Nginx.
b) the key generator should be secure: the latest and patched OpenSSL version should be used to generate any key, irregardless whether they are 1024, 2048 or 4096 bit keys.
In general, any non-patched version of OpenSSL can still cause security vulnerabilities, so there is a necessity to use keys generated with patched OpenSSL versions.
Note that the same applies to the OpenSSL version, used at compilation time of Nginx: the Nginx binary can be a security risk, if a non-patched OpenSSL version has been used.
c) use 4096 bit Diffie-Hellmann Ephemeral (DHE) keys, if and whenever possible.
For a very rough explanation, see the relevant part in the article
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
Note that DHE keys are very valuable: any security vulnerability becomes mitigated when using DHE, so this is rather convenient if a patch is not yet available.
d) the most important aspect is the CIPHER SUITE: make it as strict as possible.
Note that the current cipher suites in Plesk has been improved (compared to previous ones), but it is still not strict enough: there are some redundant cipher suites and some very low grade cipher suites, implying that some vulnerability is still present.
e) use secure applications and/or links: it does not make any sense to secure the server, while in the meantime using applications that are a security blackhole.
Well, to summarize all of the above in rough outlines:
- just use the Nginx as a secure proxy: reduce the attack surface by increasing the security of Nginx to the maximum level,
- just use some caching mechanisms or server static files via Nginx: keep traffic away from Apache, if and whenever possible,
- check and re-check the cipher suites: in essence, it is or should become a recurring task, to keep the cipher suites up-to-date and secure,
- be aware of the common pitfalls: keep track of issues with OpenSSL, see the gaps in the design structure of the stack used and so on,
and the above contains some general rules to create some good practice.
And, to answer your question "which key is better?" in short: the 4096 bit DHE key (and the penalty on performance is negligible).
Hope the above helps....
Regards....