Hi there, I just signed up for openssl-users today because I was going to
ask a question but then think I figured out what I needed to figure out.
Anyway, I created a HOWTO that isn't on the web site about how to create
signed certificates, etc.
It is a rough draft, and I would apreciate any feedback, but could you get
it posted on the OpenSSL.org site? It took me hours of screwing with the
man pages and things to get this information compiled.
Thanks a ton!
William Michael Grim
Student, Southern Illinois University at Edwardsville
Unix System Administrator, SIUE, Computer Science dept.
Phone: (217) 341-6552
Email: [EMAIL PROTECTED]
Author: William Michael Grim
Date: 12/29/2002
Topic: How to generate private keys and matching, self-signed certificates
for use on your server.
Updated copies of this document: The latest and greatest of this document
are kept at http://solar.cs.siue.edu/ (umm, once I figure out a spot on the
server I'll put the rest of the link in here).
Okay, I hope everyone is doing well. I'm sure many of you have questions
about creating OpenSSL certificates just the same way I did (and still do).
So, if you have any updates, fixes, or expansions of this document, PLEASE
let me know so I can get this updated. Also, at the end of this document you
will find questions from myself that I would like to have answered if anyone
wouldn't mind doing so (and they'll get put in this HOWTO).
Now, on to business. This document currently outlines how to generate a
dsa parameter file, a dsa private key, a certificate request, and finally, a
self-signed certificate.
SOME IMPORTANT NOTES:
For the first three steps, you'll also want to do something like chmod 0600 on
the files generated so they're not world-readable. There is no reason they
need to be world-readable, and they all have something to do with your private
key. You do NOT want your private key getting out into the world. On the last
step where you create your certificate, leave the generated file world-readable.
Quick steps to creating a private key and matching certificate:
openssl dsaparam -out dsa_param.pem 1024
openssl gendsa -des3 -out privkey.pem dsa_params.pem
openssl req -new -key privkey.pem -out cert_req.pem
openssl x509 -req -in cert_req.pem -out cert.pem -trustout -signkey privkey.pem
Understanding the "quick steps":
The first thing someone needs to do to create a private key is generate a
dsa parameter file. Actually, private keys can be made on the fly without
this file, but once you have one of these files, future generation of extra
private keys is faster, because the computer doesn't have to calculate as
many numbers. Plus, the next command after this one prefers a dsaparam file.
The format of the dsaparam command:
- openssl dsaparam -out <file.pem> <num_of_bits>
Basically, all files are output in the PEM format unless otherwise specified.
So, this command generates a parameter file with the specified number of bits.
EXAMPLE USAGE:
openssl dsaparam -out dsa_param.pem 1024
The next step you need to perform is actually generating your private key.
The format of the gendsa command:
- openssl gendsa [-des3] -out <file.pem> <dsaparam-file>
It's easy to understand that this command is generating a key using a
dsa parameter file you previously created, but what may not be familiar is the
[-des3] optioon. This is just an option to use for encrypting your private
key. I've noticed that if you encrypt a key and use it with Apache upon
bootup, the server will hang until it has the private key password.
You can probably leave the option off as long as you make sure not to let the
key be world readable (should be locked anyway if you followed my security
advice at the beginning).
EXAMPLE USAGE:
openssl gendsa -des3 -out privkey.pem dsa_params.pem
After you create a new private key, you need to generate a new certificate
request, signed with your private key. A certificate request is what you give
to your certificate authority (CA) to have them create a certificate and send
back to you. Inside your certificate request, it will have information such
as the issuer of the request, such as the country, state, company, email, etc.
The request also has the private key, which is used by the CA to confirm your
identity.
Format of the req command for a new certificate:
- openssl req -new -key <private_key.pem> -out <file.pem>
EXAMPLE USAGE:
openssl req -new -key privkey.pem -out cert_req.pem
Now, if you wanted to just create a request and send it to a commercial CA,
this is the point you should stop and follow the steps your CA provides for
you. However, if you want to sign your own certificate request, because you
are like me and only run personal servers and/or do not have the money to
pay a CA, please continue reading.
NOTE: Some CAs need requests/keys/etc to be in the DER format, not PEM. If
this is the case, look through the relevant man pages (listed at the end)
for help on the -outform -inform options.
Now, the hardest step for me to learn at least, was, "How in the heck do I
create a self-signed certificate, because I'm too damn poor to pay anyone
else?" Well, to do that, you need to use the x509 command, which can actually
do quite a few things, but we have only one purpose for it in this tutorial.
Generally, the x509 expects an already signed certificate as the input file
so it can resign it and update the signature; however, we must pass the -req
option to it so it knows it's going to be reading in a certificate request
and generating a new certificate for us.
Format of the x509 command (for our purposes):
- openssl x509 -req -in <file.pem> [-trustout] -signkey <key.pem>
Notice the -trustout optioon: this makes your certificate not only a signed
certificate, but a trusted signed certificate. I have absolutely no idea
at this point in time between the differences and would REALLY appreciate it
if anyone could inform me of such differences and when/why/how you would use
both of them.
Also, the -signkey option just tells x509 to create a new key in your newly
signed certificate from a derivation off your private key. This makes a
public/private key pair, with the public key in your new certificate.
EXAMPLE USAGE:
openssl x509 -req -in cert_req.pem -out cert.pem -trustout -signkey privkey.pem
Other good reads from the manual pages:
dsaparam(1)
gendsa(1)
req(1)
x509(1)
config(5ssl)
