CDNWiki
View Source:
OpenSSL
(http://pintday.org/hack/crypto/ca.shtml) Throughout this section, wherever you see 2048, that can be replaced with any bit count, though a power of two is preferred (e.g. 1024, 2048, etc) as most code is optimized to operate quickly on bit-aligned numbers. The higher the better, 2048 is usually the best balance between speed and security at the moment. * Note: When creating DSA keys and certificates for webservers, be sure to choose a key size between 512 and 1024 bits. Firefox doesn't like 2048 bit DSA server keys. * Note: When creating an RSA CA structure, do not create any keys larger than 8192 bits. Firefox complains with invalid signature. -out specifies the file to write to.<br> -des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method. Pick one.<br> These will automatically prompt for a passphrase.<br> ---- *RSA* *key* *handling* * Generate unencrypted RSA key: <verbatim> openssl genrsa -out server.key 2048 </verbatim> * Generate encrypted RSA key (with passphrase): <verbatim> openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048 </verbatim> * Encrypt an existing RSA key <verbatim> openssl rsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key </verbatim> * Decrpyt an existing RSA key <verbatim> openssl rsa -in server.key server-decrypted.key </verbatim> *DSA* *Key* *Handling* * Generate DSA parameters (Can be used to generate multiple keys): <verbatim> openssl dsaparam -out dsaparm.prm 2048 </verbatim> * Generate unencrypted DSA key (requires DSA parameters): <verbatim> openssl gendsa -out server.key dsaparm.prm </verbatim> * Generate encrypted DSA key (requires DSA parameters): <verbatim> openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm </verbatim> * Encrypt an existing DSA key <verbatim> openssl dsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key </verbatim> * Decrypt an existing DSA key <verbatim> openssl dsa -in server.key server-decrypted.key </verbatim> *Certificate* *Handling* * Generate self-signed certificate from an existing key: <verbatim> openssl req -new -x509 -nodes -sha256 -days 365 -key server.key -out server.crt </verbatim> * Generate a self-signed certificate and a brand new key all at once: <verbatim> openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout server.key -out server.crt </verbatim> * Generate a CA-style root certificate: <verbatim> openssl req -config ca.conf -days 3650 -x509 -newkey rsa:8192 -out certauth.crt -outform PEM </verbatim> <sub>Make sure you set up a proper path structure and root_ca_distinguished_name in ca.conf beforehand, or else strange things may occur.</sub> * Generate signing request: <verbatim> openssl req -new -key server.key -out server.csr </verbatim> * Sign certificate request with CA: <verbatim> openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>) </verbatim> * Single-file PEM-encoded certificates: <verbatim> cat server.key server.crt > server.pem </verbatim> * Browser-compatible client certificate <verbatim> openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 </verbatim> * Initilize a Certificate Authority:<br> * (These correspond to the paths and files set in the local_ca section of ca.conf <verbatim> # create the serial file echo "00" > serial # create the index file touch index.txt # create and secure the CA private key subdir -- Put the CA private key in here. mkdir private && chmod 700 private # create the hashdir to hold all the certificates signed by this CA (for recovery and revocation purposes) mkdir certs </verbatim> *Certificate* *Revocation* *Lists* *(CRLs)* * Certificate revocations: <verbatim> openssl ca -config ca.conf -revoke client.crt openssl ca -config ca.conf -gencrl -out ca.crl </verbatim> *Makefiles* *for* *Apache* *hash* *directories* <br> [Makefile.crt|OpenSSL/Makefile.crt]<br> [Makefile.crl|OpenSSL/Makefile.crl]<br> *Makefile* *for* *CA* *batch* *signing* *and* *CSR* *generation* <br> [Makefile|OpenSSL/Makefile]<br> Another [ca.conf|OpenSSL/ca.conf] Sample ca.conf: <verbatim> # # Default configuration to use when one # is not provided on the command line. # [ ca ] default_ca = local_ca # # Default location of directories and # files needed to generate certificates. # [ local_ca ] dir = /usr/www/CertAuth certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial # # Default expiration and encryption # policies for certificates. # default_crl_days = 365 default_days = 1825 default_md = md5 policy = local_ca_policy x509_extensions = local_ca_extensions # # Default policy to use when generating # server certificates. The following # fields must be defined in the server # certificate. # [ local_ca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional # # x509 extensions to use when generating # server certificates. # [ local_ca_extensions ] #subjectAltName = DNS:altname.somewhere.com basicConstraints = CA:false nsCertType = server # # The default policy to use when # generating the root certificate. # [ req ] default_bits = 2048 default_keyfile = /usr/www/CertAuth/privkey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions # # Root Certificate Authority distin- # guished name. Changes these fields to # your local environment. # [ root_ca_distinguished_name ] commonName = CyberLeo.Net stateOrProvinceName = Wisconsin countryName = US emailAddress = cyberleo@cyberleo.net organizationName = CyberLeo.Net [ root_ca_extensions ] basicConstraints = CA:true [ protomuck ] basicConstraints = CA:false nsCertType = server [ server ] basicConstraints = CA:false nsCertType = server [ client ] basicConstraints = CA:false nsCertType = client </verbatim>
