Throughout this section, wherever you see 2048, that can be replaced with any bit count. The higher the better, 2048 is usually the best balance between speed and security at the moment.
- out specifies the file to write to.
des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method.
These will automatically prompt for a passphrase.
Generate unencrypted RSA key:
openssl genrsa -out server.key 2048
Generate encrypted RSA key (with passphrase):
openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048
Generate DSA parameters (Can be used to generate multiple keys):
openssl dsaparam -out dsaparm.prm 2048
Generate unencrypted DSA key (requires DSA parameters):
openssl gendsa -out server.key dsaparm.prm
Generate encrypted DSA key (requires DSA parameters):
openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm
Generate self-signed certificate:
openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt
Generate signing request:
openssl req -new -key server.key -out server.csr
Sign certificate request with CA:
openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>)
Sample ca.conf:
# # Default configuration to use when one # is not provided on the command line. # [ ca ] default_ca = local_ca # # Default location of directories and # files needed to generate certificates. # [ local_ca ] dir = /usr/www/CertAuth certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial # # Default expiration and encryption # policies for certificates. # default_crl_days = 365 default_days = 1825 default_md = md5 policy = local_ca_policy x509_extensions = local_ca_extensions # # Default policy to use when generating # server certificates. The following # fields must be defined in the server # certificate. # [ local_ca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional # # x509 extensions to use when generating # server certificates. # [ local_ca_extensions ] #subjectAltName = DNS:altname.somewhere.com basicConstraints = CA:false nsCertType = server # # The default policy to use when # generating the root certificate. # [ req ] default_bits = 2048 default_keyfile = /usr/www/CertAuth/privkey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions # # Root Certificate Authority distin- # guished name. Changes these fields to # your local environment. # [ root_ca_distinguished_name ] commonName = CyberLeo.Net stateOrProvinceName = Wisconsin countryName = US emailAddress = cyberleo@cyberleo.net organizationName = CyberLeo.Net [ root_ca_extensions ] basicConstraints = CA:true [ protomuck ] basicConstraints = CA:false nsCertType = server