Note: You are viewing an old version of this page. View the current version.

Differences between version 2 and previous revision of OpenSSL.

Other diffs: Previous Major Revision, Previous Author

Newer page: version 2 Last edited on Tuesday, 2 May 2006 6:35:53 by CyberLeo Revert
Older page: version 1 Last edited on Thursday, 13 April 2006 4:24:26 by CyberLeo Revert
@@ -1,5 +1,5 @@
-Throughout this section, wherever you see 2048, that can be replaced with any bit count. The higher the better, 2048 is usually the best balance between speed and security at the moment. 
+Throughout this section, wherever you see 2048, that can be replaced with any bit count, though a power of two is preferred (e.g. 1024, 2048, etc) as most code is optimized to operate quickly on bit-aligned numbers . The higher the better, 2048 is usually the best balance between speed and security at the moment. 
  
 -out specifies the file to write to.<br> 
 -des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method.<br> 
  These will automatically prompt for a passphrase.<br> 
@@ -42,8 +42,24 @@
  
 Sign certificate request with CA: 
 <verbatim> 
 openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>) 
+</verbatim>  
+  
+Single-file PEM-encoded certificates:  
+<verbatim>  
+cat server.key server.crt > server.pem  
+</verbatim>  
+  
+Browser-compatible client certificate  
+<verbatim>  
+openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12  
+</verbatim>  
+  
+Certificate revocations:  
+<verbatim>  
+openssl ca -config ca.conf -revoke client.crt  
+openssl ca -config ca.conf -gencrl -out ca.crl  
 </verbatim> 
  
 Sample ca.conf: 
 <verbatim> 
@@ -130,5 +146,13 @@
  
 [ protomuck ] 
 basicConstraints = CA:false 
 nsCertType = server 
+  
+[ server ]  
+basicConstraints = CA:false  
+nsCertType = server  
+  
+[ client ]  
+basicConstraints = CA:false  
+nsCertType = client  
 </verbatim> 

version 2

Throughout this section, wherever you see 2048, that can be replaced with any bit count, though a power of two is preferred (e.g. 1024, 2048, etc) as most code is optimized to operate quickly on bit-aligned numbers. The higher the better, 2048 is usually the best balance between speed and security at the moment.

  • out specifies the file to write to.

  • des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method.

    These will automatically prompt for a passphrase.

Generate unencrypted RSA key:

openssl genrsa -out server.key 2048

Generate encrypted RSA key (with passphrase):

openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048

Generate DSA parameters (Can be used to generate multiple keys):

openssl dsaparam -out dsaparm.prm 2048

Generate unencrypted DSA key (requires DSA parameters):

openssl gendsa -out server.key dsaparm.prm

Generate encrypted DSA key (requires DSA parameters):

openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm

Generate self-signed certificate:

openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt

Generate signing request:

openssl req -new -key server.key -out server.csr

Sign certificate request with CA:

openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>)

Single-file PEM-encoded certificates:

cat server.key server.crt > server.pem

Browser-compatible client certificate

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Certificate revocations:

openssl ca -config ca.conf -revoke client.crt
openssl ca -config ca.conf -gencrl -out ca.crl

Sample ca.conf:

#
# Default configuration to use  when one
# is not provided on the command line.
#
[ ca ]
default_ca      = local_ca

#
# Default location  of  directories  and
# files needed to generate certificates.
#
[ local_ca ]
dir             = /usr/www/CertAuth
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/certs
private_key     = $dir/private/cakey.pem
serial          = $dir/serial

#
# Default   expiration   and  encryption
# policies for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = md5

policy          = local_ca_policy
x509_extensions = local_ca_extensions

#
# Default policy to use  when generating
# server   certificates.  The  following
# fields  must  be defined in the server
# certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = optional

#
# x509 extensions to use when generating
# server certificates.
#
[ local_ca_extensions ]
#subjectAltName          = DNS:altname.somewhere.com
basicConstraints        = CA:false
nsCertType              = server

#
# The   default   policy   to  use  when
# generating the root certificate.
#
[ req ]
default_bits    = 2048
default_keyfile = /usr/www/CertAuth/privkey.pem
default_md      = md5

prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

#
# Root  Certificate  Authority   distin-
# guished name.  Changes these fields to
# your local environment.
#
[ root_ca_distinguished_name ]
commonName              = CyberLeo.Net
stateOrProvinceName     = Wisconsin
countryName             = US
emailAddress            = cyberleo@cyberleo.net
organizationName        = CyberLeo.Net

[ root_ca_extensions ]
basicConstraints        = CA:true

[ protomuck ]
basicConstraints        = CA:false
nsCertType              = server

[ server ]
basicConstraints        = CA:false
nsCertType              = server

[ client ]
basicConstraints        = CA:false
nsCertType              = client