Loading doc/HOWTO/certificates.txt +39 −16 Original line number Diff line number Diff line <DRAFT!> HOWTO certificates 1. Introduction How you handle certificates depend a great deal on what your role is. Your role can be one or several of: Loading @@ -13,12 +15,14 @@ Certificate authorities should read ca.txt. In all the cases shown below, the standard configuration file, as compiled into openssl, will be used. You may find it in /etc/, /usr/local/ssr/ or somewhere else. The name is openssl.cnf, and /usr/local/ssl/ or somewhere else. The name is openssl.cnf, and is better described in another HOWTO <config.txt?>. If you want to use a different configuration file, use the argument '-config {file}' with the command shown below. 2. Relationship with keys Certificates are related to public key cryptography by containing a public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private Loading @@ -26,22 +30,25 @@ keys, so before you create a certificate or a certificate request, you need to create a private key. Private keys are generated with 'openssl genrsa' if you want a RSA private key, or 'openssl gendsa' if you want a DSA private key. More info on how to handle these commands are found in the manual pages for those commands or by running them with the argument '-h'. For the sake of the description in this file, let's assume that the private key ended up in the file privkey.pem (which is the default in some cases). Let's start with the most normal way of getting a certificate. Most often, you want or need to get a certificate from a certificate authority. To handle that, the certificate authority needs a certificate request (or, as some certificate authorities like to put private key, or 'openssl gendsa' if you want a DSA private key. Further information on how to create private keys can be found in another HOWTO <keys.txt?>. The rest of this text assumes you have a private key in the file privkey.pem. 3. Creating a certificate request To create a certificate, you need to start with a certificate request (or, as some certificate authorities like to put it, "certificate signing request", since that's exactly what they do, they sign it and give you the result back, thus making it authentic according to their policies) from you. To generate a request, use the command 'openssl req' like this: according to their policies). A certificate request can then be sent to a certificate authority to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or if you need a self-signed certificate (because you just want a test certificate or because you are setting up your own CA). The certificate is created like this: openssl req -new -key privkey.pem -out cert.csr Loading @@ -55,9 +62,25 @@ When the certificate authority has then done the checks the need to do (and probably gotten payment from you), they will hand over your new certificate to you. Section 5 will tell you more on how to handle the certificate you received. 4. Creating a self-signed certificate If you don't want to deal with another certificate authority, or just want to create a test certificate for yourself, or are setting up a certificate authority of your own, you may want to make the requested certificate a self-signed one. If you have created a certificate request as shown above, you can sign it using the 'openssl x509' command, for example like this (to create a self-signed CA certificate): openssl x509 -req -in cert.csr -extfile openssl.cnf -extensions v3_ca \ -signkey privkey.pem -out cacert.pem -trustout [fill in on how to create a self-signed certificate] 5. What to do with the certificate If you created everything yourself, or if the certificate authority was kind enough, your certificate is a raw DER thing in PEM format. Loading doc/HOWTO/keys.txt 0 → 100644 +73 −0 Original line number Diff line number Diff line <DRAFT!> HOWTO keys 1. Introduction Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one half being the public key and the other half being the private key. With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately. Public keys come in several flavors, using different cryptographic algorithms. The most popular ones associated with certificates are RSA and DSA, and this HOWTO will show how to generate each of them. 2. To generate a RSA key A RSA key can be used both for encryption and for signing. Generating a key for the RSA algorithm is quite easy, all you have to do is the following: openssl genrsa -des3 -out privkey.pem 2048 With this variant, you will be prompted for a protecting password. If you don't want your key to be protected by a password, remove the flag '-des3' from the command line above. NOTE: if you intend to use the key together with a server certificate, it may be a good thing to avoid protecting it with a password, since that would mean someone would have to type in the password every time the server needs to access the key. The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon. 3. To generate a DSA key A DSA key can be used both for signing only. This is important to keep in mind to know what kind of purposes a certificate request with a DSA key can really be used for. Generating a key for the DSA algorithm is a two-step process. First, you have to generate parameters from which to generate the key: openssl dsaparam -out dsaparam.pem 2048 The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for DSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon. When that is done, you can generate a key using the parameters in question (actually, several keys can be generated from the same parameters): openssl gendsa -des3 -out privkey.pem dsaparam.pem With this variant, you will be prompted for a protecting password. If you don't want your key to be protected by a password, remove the flag '-des3' from the command line above. NOTE: if you intend to use the key together with a server certificate, it may be a good thing to avoid protecting it with a password, since that would mean someone would have to type in the password every time the server needs to access the key. -- Richard Levitte Loading
doc/HOWTO/certificates.txt +39 −16 Original line number Diff line number Diff line <DRAFT!> HOWTO certificates 1. Introduction How you handle certificates depend a great deal on what your role is. Your role can be one or several of: Loading @@ -13,12 +15,14 @@ Certificate authorities should read ca.txt. In all the cases shown below, the standard configuration file, as compiled into openssl, will be used. You may find it in /etc/, /usr/local/ssr/ or somewhere else. The name is openssl.cnf, and /usr/local/ssl/ or somewhere else. The name is openssl.cnf, and is better described in another HOWTO <config.txt?>. If you want to use a different configuration file, use the argument '-config {file}' with the command shown below. 2. Relationship with keys Certificates are related to public key cryptography by containing a public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private Loading @@ -26,22 +30,25 @@ keys, so before you create a certificate or a certificate request, you need to create a private key. Private keys are generated with 'openssl genrsa' if you want a RSA private key, or 'openssl gendsa' if you want a DSA private key. More info on how to handle these commands are found in the manual pages for those commands or by running them with the argument '-h'. For the sake of the description in this file, let's assume that the private key ended up in the file privkey.pem (which is the default in some cases). Let's start with the most normal way of getting a certificate. Most often, you want or need to get a certificate from a certificate authority. To handle that, the certificate authority needs a certificate request (or, as some certificate authorities like to put private key, or 'openssl gendsa' if you want a DSA private key. Further information on how to create private keys can be found in another HOWTO <keys.txt?>. The rest of this text assumes you have a private key in the file privkey.pem. 3. Creating a certificate request To create a certificate, you need to start with a certificate request (or, as some certificate authorities like to put it, "certificate signing request", since that's exactly what they do, they sign it and give you the result back, thus making it authentic according to their policies) from you. To generate a request, use the command 'openssl req' like this: according to their policies). A certificate request can then be sent to a certificate authority to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or if you need a self-signed certificate (because you just want a test certificate or because you are setting up your own CA). The certificate is created like this: openssl req -new -key privkey.pem -out cert.csr Loading @@ -55,9 +62,25 @@ When the certificate authority has then done the checks the need to do (and probably gotten payment from you), they will hand over your new certificate to you. Section 5 will tell you more on how to handle the certificate you received. 4. Creating a self-signed certificate If you don't want to deal with another certificate authority, or just want to create a test certificate for yourself, or are setting up a certificate authority of your own, you may want to make the requested certificate a self-signed one. If you have created a certificate request as shown above, you can sign it using the 'openssl x509' command, for example like this (to create a self-signed CA certificate): openssl x509 -req -in cert.csr -extfile openssl.cnf -extensions v3_ca \ -signkey privkey.pem -out cacert.pem -trustout [fill in on how to create a self-signed certificate] 5. What to do with the certificate If you created everything yourself, or if the certificate authority was kind enough, your certificate is a raw DER thing in PEM format. Loading
doc/HOWTO/keys.txt 0 → 100644 +73 −0 Original line number Diff line number Diff line <DRAFT!> HOWTO keys 1. Introduction Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one half being the public key and the other half being the private key. With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately. Public keys come in several flavors, using different cryptographic algorithms. The most popular ones associated with certificates are RSA and DSA, and this HOWTO will show how to generate each of them. 2. To generate a RSA key A RSA key can be used both for encryption and for signing. Generating a key for the RSA algorithm is quite easy, all you have to do is the following: openssl genrsa -des3 -out privkey.pem 2048 With this variant, you will be prompted for a protecting password. If you don't want your key to be protected by a password, remove the flag '-des3' from the command line above. NOTE: if you intend to use the key together with a server certificate, it may be a good thing to avoid protecting it with a password, since that would mean someone would have to type in the password every time the server needs to access the key. The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon. 3. To generate a DSA key A DSA key can be used both for signing only. This is important to keep in mind to know what kind of purposes a certificate request with a DSA key can really be used for. Generating a key for the DSA algorithm is a two-step process. First, you have to generate parameters from which to generate the key: openssl dsaparam -out dsaparam.pem 2048 The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for DSA keys, as fewer amount of bits is consider insecure or to be insecure pretty soon. When that is done, you can generate a key using the parameters in question (actually, several keys can be generated from the same parameters): openssl gendsa -des3 -out privkey.pem dsaparam.pem With this variant, you will be prompted for a protecting password. If you don't want your key to be protected by a password, remove the flag '-des3' from the command line above. NOTE: if you intend to use the key together with a server certificate, it may be a good thing to avoid protecting it with a password, since that would mean someone would have to type in the password every time the server needs to access the key. -- Richard Levitte
