X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;ds=sidebyside;f=doc%2FHOWTO%2Fcertificates.txt;h=65f8fc8296cdf6f9b18a4a769a6f4467b79b0bb4;hb=918d8eadb35746456fd1a9d4e219c63ff706173e;hp=88048645dbefa736ce6fa8c67385ab2fc69fb709;hpb=cf1b7d96647d55e533f779e476e3d4371f40445a;p=oweals%2Fopenssl.git diff --git a/doc/HOWTO/certificates.txt b/doc/HOWTO/certificates.txt index 88048645db..65f8fc8296 100644 --- a/doc/HOWTO/certificates.txt +++ b/doc/HOWTO/certificates.txt @@ -1,23 +1,27 @@ HOWTO certificates -How you handle certificates depend a great deal on what your role is. +1. Introduction + +How you handle certificates depends a great deal on what your role is. Your role can be one or several of: - - User of some client software - - User of some server software + - User of some client application + - User of some server application - Certificate authority This file is for users who wish to get a certificate of their own. -Certificate authorities should read ca.txt. +Certificate authorities should read https://www.openssl.org/docs/apps/ca.html. In all the cases shown below, the standard configuration file, as compiled into openssl, will be used. You may find it in /etc/, -/usr/local/ssr/ or somewhere else. The name is openssl.cnf, and -is better described in another HOWTO . If you want to -use a different configuration file, use the argument '-config {file}' -with the command shown below. +/usr/local/ssl/ or somewhere else. By default the file is named +openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. +You can specify a different configuration file using the +'-config {file}' argument with the commands shown below. + +2. Relationship with keys Certificates are related to public key cryptography by containing a public key. To be useful, there must be a corresponding private key @@ -25,39 +29,60 @@ somewhere. With OpenSSL, public keys are easily derived from private keys, so before you create a certificate or a certificate request, you need to create a private key. -Private keys are generated with 'openssl genrsa' if you want a RSA -private key, or 'openssl gendsa' if you want a DSA private key. More -info on how to handle these commands are found in the manual pages for -those commands or by running them with the argument '-h'. For the -sake of the description in this file, let's assume that the private -key ended up in the file privkey.pem (which is the default in some -cases). +Private keys are generated with 'openssl genrsa -out privkey.pem' if +you want a RSA private key, or if you want a DSA private key: +'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'. + +The private keys created by these commands are not passphrase protected; +it might or might not be the desirable thing. Further information on how to +create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. +The rest of this text assumes you have a private key in the file privkey.pem. + + +3. Creating a certificate request +To create a certificate, you need to start with a certificate request +(or, as some certificate authorities like to put it, "certificate +signing request", since that's exactly what they do, they sign it and +give you the result back, thus making it authentic according to their +policies). A certificate request is sent to a certificate authority +to get it signed into a certificate. You can also sign the certificate +yourself if you have your own certificate authority or create a +self-signed certificate (typically for testing purpose). -Let's start with the most normal way of getting a certificate. Most -often, you want or need to get a certificate from a certificate -authority. To handle that, the certificate authority needs a -certificate request (or, as some certificate authorities like to put -it, "certificate signing request", since that's exactly what they do, -they sign it and give you the result back, thus making it authentic -according to their policies) from you. To generate a request, use the -command 'openssl req' like this: +The certificate request is created like this: openssl req -new -key privkey.pem -out cert.csr Now, cert.csr can be sent to the certificate authority, if they can handle files in PEM format. If not, use the extra argument '-outform' followed by the keyword for the format to use (see another HOWTO -). In some cases, that isn't sufficient and you will -have to be more creative. +). In some cases, -outform does not let you output the +certificate request in the right format and you will have to use one +of the various other commands that are exposed by openssl (or get +creative and use a combination of tools). + +The certificate authority performs various checks (according to their +policies) and usually waits for payment from you. Once that is +complete, they send you your new certificate. + +Section 5 will tell you more on how to handle the certificate you +received. + + +4. Creating a self-signed test certificate -When the certificate authority has then done the checks the need to -do (and probably gotten payment from you), they will hand over your -new certificate to you. +You can create a self-signed certificate if you don't want to deal +with a certificate authority, or if you just want to create a test +certificate for yourself. This is similar to creating a certificate +request, but creates a certificate instead of a certificate request. +This is NOT the recommended way to create a CA certificate, see +https://www.openssl.org/docs/apps/ca.html. + openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 -[fill in on how to create a self-signed certificate] +5. What to do with the certificate If you created everything yourself, or if the certificate authority was kind enough, your certificate is a raw DER thing in PEM format. @@ -73,13 +98,13 @@ certificate and your key to various formats, most often also putting them together into one file. The ways to do this is described in another HOWTO , I will just mention the simplest case. In the case of a raw DER thing in PEM format, and assuming that's all -right for yor applications, simply concatenating the certificate and +right for your applications, simply concatenating the certificate and the key into a new file and using that one should be enough. With some applications, you don't even have to do that. -By now, you have your cetificate and your private key and can start -using the software that depend on it. +By now, you have your certificate and your private key and can start +using applications that depend on it. -- Richard Levitte