Extend the HOWTO on creating certificates, and add a HOWTO in creating keys.
PR: 422
This commit is contained in:
Richard Levitte
parent
52e5e5c2ba
commit
cdc5b4a41e
2 changed files with 110 additions and 14 deletions
|
|
@ -1,6 +1,8 @@
|
|||
<DRAFT!>
|
||||
HOWTO certificates
|
||||
|
||||
1. Introduction
|
||||
|
||||
How you handle certificates depend a great deal on what your role is.
|
||||
Your role can be one or several of:
|
||||
|
||||
|
|
@ -13,12 +15,14 @@ Certificate authorities should read ca.txt.
|
|||
|
||||
In all the cases shown below, the standard configuration file, as
|
||||
compiled into openssl, will be used. You may find it in /etc/,
|
||||
/usr/local/ssr/ or somewhere else. The name is openssl.cnf, and
|
||||
/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and
|
||||
is better described in another HOWTO <config.txt?>. If you want to
|
||||
use a different configuration file, use the argument '-config {file}'
|
||||
with the command shown below.
|
||||
|
||||
|
||||
2. Relationship with keys
|
||||
|
||||
Certificates are related to public key cryptography by containing a
|
||||
public key. To be useful, there must be a corresponding private key
|
||||
somewhere. With OpenSSL, public keys are easily derived from private
|
||||
|
|
@ -26,22 +30,25 @@ keys, so before you create a certificate or a certificate request, you
|
|||
need to create a private key.
|
||||
|
||||
Private keys are generated with 'openssl genrsa' if you want a RSA
|
||||
private key, or 'openssl gendsa' if you want a DSA private key. More
|
||||
info on how to handle these commands are found in the manual pages for
|
||||
those commands or by running them with the argument '-h'. For the
|
||||
sake of the description in this file, let's assume that the private
|
||||
key ended up in the file privkey.pem (which is the default in some
|
||||
cases).
|
||||
private key, or 'openssl gendsa' if you want a DSA private key.
|
||||
Further information on how to create private keys can be found in
|
||||
another HOWTO <keys.txt?>. The rest of this text assumes you have
|
||||
a private key in the file privkey.pem.
|
||||
|
||||
|
||||
Let's start with the most normal way of getting a certificate. Most
|
||||
often, you want or need to get a certificate from a certificate
|
||||
authority. To handle that, the certificate authority needs a
|
||||
certificate request (or, as some certificate authorities like to put
|
||||
3. Creating a certificate request
|
||||
|
||||
To create a certificate, you need to start with a certificate
|
||||
request (or, as some certificate authorities like to put
|
||||
it, "certificate signing request", since that's exactly what they do,
|
||||
they sign it and give you the result back, thus making it authentic
|
||||
according to their policies) from you. To generate a request, use the
|
||||
command 'openssl req' like this:
|
||||
according to their policies). A certificate request can then be sent
|
||||
to a certificate authority to get it signed into a certificate, or if
|
||||
you have your own certificate authority, you may sign it yourself, or
|
||||
if you need a self-signed certificate (because you just want a test
|
||||
certificate or because you are setting up your own CA).
|
||||
|
||||
The certificate is created like this:
|
||||
|
||||
openssl req -new -key privkey.pem -out cert.csr
|
||||
|
||||
|
|
@ -55,9 +62,25 @@ When the certificate authority has then done the checks the need to
|
|||
do (and probably gotten payment from you), they will hand over your
|
||||
new certificate to you.
|
||||
|
||||
Section 5 will tell you more on how to handle the certificate you
|
||||
received.
|
||||
|
||||
[fill in on how to create a self-signed certificate]
|
||||
|
||||
4. Creating a self-signed certificate
|
||||
|
||||
If you don't want to deal with another certificate authority, or just
|
||||
want to create a test certificate for yourself, or are setting up a
|
||||
certificate authority of your own, you may want to make the requested
|
||||
certificate a self-signed one. If you have created a certificate
|
||||
request as shown above, you can sign it using the 'openssl x509'
|
||||
command, for example like this (to create a self-signed CA
|
||||
certificate):
|
||||
|
||||
openssl x509 -req -in cert.csr -extfile openssl.cnf -extensions v3_ca \
|
||||
-signkey privkey.pem -out cacert.pem -trustout
|
||||
|
||||
|
||||
5. What to do with the certificate
|
||||
|
||||
If you created everything yourself, or if the certificate authority
|
||||
was kind enough, your certificate is a raw DER thing in PEM format.
|
||||
|
|
|
|||
73
doc/HOWTO/keys.txt
Normal file
73
doc/HOWTO/keys.txt
Normal file
|
|
@ -0,0 +1,73 @@
|
|||
<DRAFT!>
|
||||
HOWTO keys
|
||||
|
||||
1. Introduction
|
||||
|
||||
Keys are the basis of public key algorithms and PKI. Keys usually
|
||||
come in pairs, with one half being the public key and the other half
|
||||
being the private key. With OpenSSL, the private key contains the
|
||||
public key information as well, so a public key doesn't need to be
|
||||
generated separately.
|
||||
|
||||
Public keys come in several flavors, using different cryptographic
|
||||
algorithms. The most popular ones associated with certificates are
|
||||
RSA and DSA, and this HOWTO will show how to generate each of them.
|
||||
|
||||
|
||||
2. To generate a RSA key
|
||||
|
||||
A RSA key can be used both for encryption and for signing.
|
||||
|
||||
Generating a key for the RSA algorithm is quite easy, all you have to
|
||||
do is the following:
|
||||
|
||||
openssl genrsa -des3 -out privkey.pem 2048
|
||||
|
||||
With this variant, you will be prompted for a protecting password. If
|
||||
you don't want your key to be protected by a password, remove the flag
|
||||
'-des3' from the command line above.
|
||||
|
||||
NOTE: if you intend to use the key together with a server
|
||||
certificate, it may be a good thing to avoid protecting it
|
||||
with a password, since that would mean someone would have to
|
||||
type in the password every time the server needs to access
|
||||
the key.
|
||||
|
||||
The number 2048 is the size of the key, in bits. Today, 2048 or
|
||||
higher is recommended for RSA keys, as fewer amount of bits is
|
||||
consider insecure or to be insecure pretty soon.
|
||||
|
||||
|
||||
3. To generate a DSA key
|
||||
|
||||
A DSA key can be used both for signing only. This is important to
|
||||
keep in mind to know what kind of purposes a certificate request with
|
||||
a DSA key can really be used for.
|
||||
|
||||
Generating a key for the DSA algorithm is a two-step process. First,
|
||||
you have to generate parameters from which to generate the key:
|
||||
|
||||
openssl dsaparam -out dsaparam.pem 2048
|
||||
|
||||
The number 2048 is the size of the key, in bits. Today, 2048 or
|
||||
higher is recommended for DSA keys, as fewer amount of bits is
|
||||
consider insecure or to be insecure pretty soon.
|
||||
|
||||
When that is done, you can generate a key using the parameters in
|
||||
question (actually, several keys can be generated from the same
|
||||
parameters):
|
||||
|
||||
openssl gendsa -des3 -out privkey.pem dsaparam.pem
|
||||
|
||||
With this variant, you will be prompted for a protecting password. If
|
||||
you don't want your key to be protected by a password, remove the flag
|
||||
'-des3' from the command line above.
|
||||
|
||||
NOTE: if you intend to use the key together with a server
|
||||
certificate, it may be a good thing to avoid protecting it
|
||||
with a password, since that would mean someone would have to
|
||||
type in the password every time the server needs to access
|
||||
the key.
|
||||
|
||||
--
|
||||
Richard Levitte
|
||||
Loading…
Reference in a new issue