diff options
Diffstat (limited to 'crypto/openssl/doc/HOWTO')
| -rw-r--r-- | crypto/openssl/doc/HOWTO/certificates.txt | 106 | ||||
| -rw-r--r-- | crypto/openssl/doc/HOWTO/keys.txt | 73 |
2 files changed, 0 insertions, 179 deletions
diff --git a/crypto/openssl/doc/HOWTO/certificates.txt b/crypto/openssl/doc/HOWTO/certificates.txt deleted file mode 100644 index d3a62545adf3..000000000000 --- a/crypto/openssl/doc/HOWTO/certificates.txt +++ /dev/null @@ -1,106 +0,0 @@ -<DRAFT!> - HOWTO certificates - -1. Introduction - -How you handle certificates depend a great deal on what your role is. -Your role can be one or several of: - - - User of some client software - - User of some server software - - Certificate authority - -This file is for users who wish to get a certificate of their own. -Certificate authorities should read ca.txt. - -In all the cases shown below, the standard configuration file, as -compiled into openssl, will be used. You may find it in /etc/, -/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and -is better described in another HOWTO <config.txt?>. If you want to -use a different configuration file, use the argument '-config {file}' -with the command shown below. - - -2. Relationship with keys - -Certificates are related to public key cryptography by containing a -public key. To be useful, there must be a corresponding private key -somewhere. With OpenSSL, public keys are easily derived from private -keys, so before you create a certificate or a certificate request, you -need to create a private key. - -Private keys are generated with 'openssl genrsa' if you want a RSA -private key, or 'openssl gendsa' if you want a DSA private key. -Further information on how to create private keys can be found in -another HOWTO <keys.txt?>. The rest of this text assumes you have -a private key in the file privkey.pem. - - -3. Creating a certificate request - -To create a certificate, you need to start with a certificate -request (or, as some certificate authorities like to put -it, "certificate signing request", since that's exactly what they do, -they sign it and give you the result back, thus making it authentic -according to their policies). A certificate request can then be sent -to a certificate authority to get it signed into a certificate, or if -you have your own certificate authority, you may sign it yourself, or -if you need a self-signed certificate (because you just want a test -certificate or because you are setting up your own CA). - -The certificate request is created like this: - - openssl req -new -key privkey.pem -out cert.csr - -Now, cert.csr can be sent to the certificate authority, if they can -handle files in PEM format. If not, use the extra argument '-outform' -followed by the keyword for the format to use (see another HOWTO -<formats.txt?>). In some cases, that isn't sufficient and you will -have to be more creative. - -When the certificate authority has then done the checks the need to -do (and probably gotten payment from you), they will hand over your -new certificate to you. - -Section 5 will tell you more on how to handle the certificate you -received. - - -4. Creating a self-signed certificate - -If you don't want to deal with another certificate authority, or just -want to create a test certificate for yourself, or are setting up a -certificate authority of your own, you may want to make the requested -certificate a self-signed one. This is similar to creating a -certificate request, but creates a certificate instead of a -certificate request (1095 is 3 years): - - openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 - - -5. What to do with the certificate - -If you created everything yourself, or if the certificate authority -was kind enough, your certificate is a raw DER thing in PEM format. -Your key most definitely is if you have followed the examples above. -However, some (most?) certificate authorities will encode them with -things like PKCS7 or PKCS12, or something else. Depending on your -applications, this may be perfectly OK, it all depends on what they -know how to decode. If not, There are a number of OpenSSL tools to -convert between some (most?) formats. - -So, depending on your application, you may have to convert your -certificate and your key to various formats, most often also putting -them together into one file. The ways to do this is described in -another HOWTO <formats.txt?>, I will just mention the simplest case. -In the case of a raw DER thing in PEM format, and assuming that's all -right for yor applications, simply concatenating the certificate and -the key into a new file and using that one should be enough. With -some applications, you don't even have to do that. - - -By now, you have your cetificate and your private key and can start -using the software that depend on it. - --- -Richard Levitte diff --git a/crypto/openssl/doc/HOWTO/keys.txt b/crypto/openssl/doc/HOWTO/keys.txt deleted file mode 100644 index 45f42eaaf1b7..000000000000 --- a/crypto/openssl/doc/HOWTO/keys.txt +++ /dev/null @@ -1,73 +0,0 @@ -<DRAFT!> - HOWTO keys - -1. Introduction - -Keys are the basis of public key algorithms and PKI. Keys usually -come in pairs, with one half being the public key and the other half -being the private key. With OpenSSL, the private key contains the -public key information as well, so a public key doesn't need to be -generated separately. - -Public keys come in several flavors, using different cryptographic -algorithms. The most popular ones associated with certificates are -RSA and DSA, and this HOWTO will show how to generate each of them. - - -2. To generate a RSA key - -A RSA key can be used both for encryption and for signing. - -Generating a key for the RSA algorithm is quite easy, all you have to -do is the following: - - openssl genrsa -des3 -out privkey.pem 2048 - -With this variant, you will be prompted for a protecting password. If -you don't want your key to be protected by a password, remove the flag -'-des3' from the command line above. - - NOTE: if you intend to use the key together with a server - certificate, it may be a good thing to avoid protecting it - with a password, since that would mean someone would have to - type in the password every time the server needs to access - the key. - -The number 2048 is the size of the key, in bits. Today, 2048 or -higher is recommended for RSA keys, as fewer amount of bits is -consider insecure or to be insecure pretty soon. - - -3. To generate a DSA key - -A DSA key can be used both for signing only. This is important to -keep in mind to know what kind of purposes a certificate request with -a DSA key can really be used for. - -Generating a key for the DSA algorithm is a two-step process. First, -you have to generate parameters from which to generate the key: - - openssl dsaparam -out dsaparam.pem 2048 - -The number 2048 is the size of the key, in bits. Today, 2048 or -higher is recommended for DSA keys, as fewer amount of bits is -consider insecure or to be insecure pretty soon. - -When that is done, you can generate a key using the parameters in -question (actually, several keys can be generated from the same -parameters): - - openssl gendsa -des3 -out privkey.pem dsaparam.pem - -With this variant, you will be prompted for a protecting password. If -you don't want your key to be protected by a password, remove the flag -'-des3' from the command line above. - - NOTE: if you intend to use the key together with a server - certificate, it may be a good thing to avoid protecting it - with a password, since that would mean someone would have to - type in the password every time the server needs to access - the key. - --- -Richard Levitte |