2001-02-19 16:06:34 +00:00
|
|
|
<DRAFT!>
|
2000-12-01 17:44:33 +00:00
|
|
|
HOWTO certificates
|
|
|
|
|
2003-01-14 15:46:36 +00:00
|
|
|
1. Introduction
|
|
|
|
|
2000-12-01 17:44:33 +00:00
|
|
|
How you handle certificates depend a great deal on what your role is.
|
|
|
|
Your role can be one or several of:
|
|
|
|
|
|
|
|
- User of some client software
|
|
|
|
- User of some server software
|
|
|
|
- Certificate authority
|
|
|
|
|
|
|
|
This file is for users who wish to get a certificate of their own.
|
|
|
|
Certificate authorities should read ca.txt.
|
|
|
|
|
|
|
|
In all the cases shown below, the standard configuration file, as
|
|
|
|
compiled into openssl, will be used. You may find it in /etc/,
|
2003-01-14 15:46:36 +00:00
|
|
|
/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and
|
2001-02-19 16:06:34 +00:00
|
|
|
is better described in another HOWTO <config.txt?>. If you want to
|
2000-12-01 17:44:33 +00:00
|
|
|
use a different configuration file, use the argument '-config {file}'
|
|
|
|
with the command shown below.
|
|
|
|
|
|
|
|
|
2003-01-14 15:46:36 +00:00
|
|
|
2. Relationship with keys
|
|
|
|
|
2000-12-01 17:44:33 +00:00
|
|
|
Certificates are related to public key cryptography by containing a
|
|
|
|
public key. To be useful, there must be a corresponding private key
|
|
|
|
somewhere. With OpenSSL, public keys are easily derived from private
|
|
|
|
keys, so before you create a certificate or a certificate request, you
|
|
|
|
need to create a private key.
|
|
|
|
|
|
|
|
Private keys are generated with 'openssl genrsa' if you want a RSA
|
2003-01-14 15:46:36 +00:00
|
|
|
private key, or 'openssl gendsa' if you want a DSA private key.
|
|
|
|
Further information on how to create private keys can be found in
|
|
|
|
another HOWTO <keys.txt?>. The rest of this text assumes you have
|
|
|
|
a private key in the file privkey.pem.
|
|
|
|
|
|
|
|
|
|
|
|
3. Creating a certificate request
|
|
|
|
|
|
|
|
To create a certificate, you need to start with a certificate
|
|
|
|
request (or, as some certificate authorities like to put
|
2000-12-01 17:44:33 +00:00
|
|
|
it, "certificate signing request", since that's exactly what they do,
|
|
|
|
they sign it and give you the result back, thus making it authentic
|
2003-01-14 15:46:36 +00:00
|
|
|
according to their policies). A certificate request can then be sent
|
|
|
|
to a certificate authority to get it signed into a certificate, or if
|
|
|
|
you have your own certificate authority, you may sign it yourself, or
|
|
|
|
if you need a self-signed certificate (because you just want a test
|
|
|
|
certificate or because you are setting up your own CA).
|
|
|
|
|
2003-04-03 21:55:57 +00:00
|
|
|
The certificate request is created like this:
|
2000-12-01 17:44:33 +00:00
|
|
|
|
|
|
|
openssl req -new -key privkey.pem -out cert.csr
|
|
|
|
|
|
|
|
Now, cert.csr can be sent to the certificate authority, if they can
|
|
|
|
handle files in PEM format. If not, use the extra argument '-outform'
|
|
|
|
followed by the keyword for the format to use (see another HOWTO
|
2001-02-19 16:06:34 +00:00
|
|
|
<formats.txt?>). In some cases, that isn't sufficient and you will
|
2000-12-01 17:44:33 +00:00
|
|
|
have to be more creative.
|
|
|
|
|
|
|
|
When the certificate authority has then done the checks the need to
|
|
|
|
do (and probably gotten payment from you), they will hand over your
|
|
|
|
new certificate to you.
|
|
|
|
|
2003-01-14 15:46:36 +00:00
|
|
|
Section 5 will tell you more on how to handle the certificate you
|
|
|
|
received.
|
|
|
|
|
|
|
|
|
|
|
|
4. Creating a self-signed certificate
|
|
|
|
|
|
|
|
If you don't want to deal with another certificate authority, or just
|
|
|
|
want to create a test certificate for yourself, or are setting up a
|
|
|
|
certificate authority of your own, you may want to make the requested
|
2003-04-03 22:12:50 +00:00
|
|
|
certificate a self-signed one. This is similar to creating a
|
|
|
|
certificate request, but creates a certificate instead of a
|
|
|
|
certificate request (1095 is 3 years):
|
2003-01-14 15:46:36 +00:00
|
|
|
|
2003-04-03 22:12:50 +00:00
|
|
|
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
|
2000-12-01 17:44:33 +00:00
|
|
|
|
|
|
|
|
2003-01-14 15:46:36 +00:00
|
|
|
5. What to do with the certificate
|
2000-12-01 17:44:33 +00:00
|
|
|
|
|
|
|
If you created everything yourself, or if the certificate authority
|
|
|
|
was kind enough, your certificate is a raw DER thing in PEM format.
|
|
|
|
Your key most definitely is if you have followed the examples above.
|
|
|
|
However, some (most?) certificate authorities will encode them with
|
|
|
|
things like PKCS7 or PKCS12, or something else. Depending on your
|
|
|
|
applications, this may be perfectly OK, it all depends on what they
|
|
|
|
know how to decode. If not, There are a number of OpenSSL tools to
|
|
|
|
convert between some (most?) formats.
|
|
|
|
|
|
|
|
So, depending on your application, you may have to convert your
|
|
|
|
certificate and your key to various formats, most often also putting
|
|
|
|
them together into one file. The ways to do this is described in
|
2001-02-19 16:06:34 +00:00
|
|
|
another HOWTO <formats.txt?>, I will just mention the simplest case.
|
2000-12-01 17:44:33 +00:00
|
|
|
In the case of a raw DER thing in PEM format, and assuming that's all
|
|
|
|
right for yor applications, simply concatenating the certificate and
|
|
|
|
the key into a new file and using that one should be enough. With
|
|
|
|
some applications, you don't even have to do that.
|
|
|
|
|
|
|
|
|
|
|
|
By now, you have your cetificate and your private key and can start
|
|
|
|
using the software that depend on it.
|
|
|
|
|
|
|
|
--
|
|
|
|
Richard Levitte
|