Throughout this section, wherever you see 2048, that can be replaced with any bit count, though a power of two is preferred (e.g. 1024, 2048, etc) as most code is optimized to operate quickly on bit-aligned numbers. The higher the better, 2048 is usually the best balance between speed and security at the moment.
- out specifies the file to write to.
des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method.
These will automatically prompt for a passphrase.
Generate unencrypted RSA key:
openssl genrsa -out server.key 2048
Generate encrypted RSA key (with passphrase):
openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048
Generate DSA parameters (Can be used to generate multiple keys):
openssl dsaparam -out dsaparm.prm 2048
Generate unencrypted DSA key (requires DSA parameters):
openssl gendsa -out server.key dsaparm.prm
Generate encrypted DSA key (requires DSA parameters):
openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm
Generate self-signed certificate:
openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt
Generate signing request:
openssl req -new -key server.key -out server.csr
Sign certificate request with CA:
openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>)
Single-file PEM-encoded certificates:
cat server.key server.crt > server.pem
Browser-compatible client certificate
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Certificate revocations:
openssl ca -config ca.conf -revoke client.crt openssl ca -config ca.conf -gencrl -out ca.crl
Initilize a Certificate Authority:
(These correspond to the paths and files set in the local_ca section of ca.conf
# create the index file echo "00" > index.txt # create the serial file touch serial # create and secure the CA private key subdir -- Put the CA private key in here. mkdir private && chmod 700 private # create the hashdir to hold all the certificates signed by this CA (for recovery and revocation purposes) mkdir certs
Sample ca.conf:
# # Default configuration to use when one # is not provided on the command line. # [ ca ] default_ca = local_ca # # Default location of directories and # files needed to generate certificates. # [ local_ca ] dir = /usr/www/CertAuth certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial # # Default expiration and encryption # policies for certificates. # default_crl_days = 365 default_days = 1825 default_md = md5 policy = local_ca_policy x509_extensions = local_ca_extensions # # Default policy to use when generating # server certificates. The following # fields must be defined in the server # certificate. # [ local_ca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional # # x509 extensions to use when generating # server certificates. # [ local_ca_extensions ] #subjectAltName = DNS:altname.somewhere.com basicConstraints = CA:false nsCertType = server # # The default policy to use when # generating the root certificate. # [ req ] default_bits = 2048 default_keyfile = /usr/www/CertAuth/privkey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions # # Root Certificate Authority distin- # guished name. Changes these fields to # your local environment. # [ root_ca_distinguished_name ] commonName = CyberLeo.Net stateOrProvinceName = Wisconsin countryName = US emailAddress = cyberleo@cyberleo.net organizationName = CyberLeo.Net [ root_ca_extensions ] basicConstraints = CA:true [ protomuck ] basicConstraints = CA:false nsCertType = server [ server ] basicConstraints = CA:false nsCertType = server [ client ] basicConstraints = CA:false nsCertType = client