Note: You are viewing an old version of this page. View the current version.

Throughout this section, wherever you see 2048, that can be replaced with any bit count. The higher the better, 2048 is usually the best balance between speed and security at the moment.

  • out specifies the file to write to.
  • des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method.

    These will automatically prompt for a passphrase.


Generate unencrypted RSA key:

openssl genrsa -out server.key 2048

Generate encrypted RSA key (with passphrase):

openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048

Generate DSA parameters (Can be used to generate multiple keys):

openssl dsaparam -out dsaparm.prm 2048

Generate unencrypted DSA key (requires DSA parameters):

openssl gendsa -out server.key dsaparm.prm

Generate encrypted DSA key (requires DSA parameters):

openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm

Generate self-signed certificate:

openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt

Generate signing request:

openssl req -new -key server.key -out server.csr

Sign certificate request with CA:

openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>)

Sample ca.conf:

#
# Default configuration to use  when one
# is not provided on the command line.
#
[ ca ]
default_ca      = local_ca

#
# Default location  of  directories  and
# files needed to generate certificates.
#
[ local_ca ]
dir             = /usr/www/CertAuth
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/certs
private_key     = $dir/private/cakey.pem
serial          = $dir/serial

#
# Default   expiration   and  encryption
# policies for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = md5

policy          = local_ca_policy
x509_extensions = local_ca_extensions

#
# Default policy to use  when generating
# server   certificates.  The  following
# fields  must  be defined in the server
# certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = optional

#
# x509 extensions to use when generating
# server certificates.
#
[ local_ca_extensions ]
#subjectAltName          = DNS:altname.somewhere.com
basicConstraints        = CA:false
nsCertType              = server

#
# The   default   policy   to  use  when
# generating the root certificate.
#
[ req ]
default_bits    = 2048
default_keyfile = /usr/www/CertAuth/privkey.pem
default_md      = md5

prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

#
# Root  Certificate  Authority   distin-
# guished name.  Changes these fields to
# your local environment.
#
[ root_ca_distinguished_name ]
commonName              = CyberLeo.Net
stateOrProvinceName     = Wisconsin
countryName             = US
emailAddress            = cyberleo@cyberleo.net
organizationName        = CyberLeo.Net

[ root_ca_extensions ]
basicConstraints        = CA:true

[ protomuck ]
basicConstraints        = CA:false
nsCertType              = server