Hi there, I just signed up for openssl-users today because I was going to ask a question but then think I figured out what I needed to figure out.
Anyway, I created a HOWTO that isn't on the web site about how to create signed certificates, etc. It is a rough draft, and I would apreciate any feedback, but could you get it posted on the OpenSSL.org site? It took me hours of screwing with the man pages and things to get this information compiled. Thanks a ton! William Michael Grim Student, Southern Illinois University at Edwardsville Unix System Administrator, SIUE, Computer Science dept. Phone: (217) 341-6552 Email: [EMAIL PROTECTED]
Author: William Michael Grim Date: 12/29/2002 Topic: How to generate private keys and matching, self-signed certificates for use on your server. Updated copies of this document: The latest and greatest of this document are kept at http://solar.cs.siue.edu/ (umm, once I figure out a spot on the server I'll put the rest of the link in here). Okay, I hope everyone is doing well. I'm sure many of you have questions about creating OpenSSL certificates just the same way I did (and still do). So, if you have any updates, fixes, or expansions of this document, PLEASE let me know so I can get this updated. Also, at the end of this document you will find questions from myself that I would like to have answered if anyone wouldn't mind doing so (and they'll get put in this HOWTO). Now, on to business. This document currently outlines how to generate a dsa parameter file, a dsa private key, a certificate request, and finally, a self-signed certificate. SOME IMPORTANT NOTES: For the first three steps, you'll also want to do something like chmod 0600 on the files generated so they're not world-readable. There is no reason they need to be world-readable, and they all have something to do with your private key. You do NOT want your private key getting out into the world. On the last step where you create your certificate, leave the generated file world-readable. Quick steps to creating a private key and matching certificate: openssl dsaparam -out dsa_param.pem 1024 openssl gendsa -des3 -out privkey.pem dsa_params.pem openssl req -new -key privkey.pem -out cert_req.pem openssl x509 -req -in cert_req.pem -out cert.pem -trustout -signkey privkey.pem Understanding the "quick steps": The first thing someone needs to do to create a private key is generate a dsa parameter file. Actually, private keys can be made on the fly without this file, but once you have one of these files, future generation of extra private keys is faster, because the computer doesn't have to calculate as many numbers. Plus, the next command after this one prefers a dsaparam file. The format of the dsaparam command: - openssl dsaparam -out <file.pem> <num_of_bits> Basically, all files are output in the PEM format unless otherwise specified. So, this command generates a parameter file with the specified number of bits. EXAMPLE USAGE: openssl dsaparam -out dsa_param.pem 1024 The next step you need to perform is actually generating your private key. The format of the gendsa command: - openssl gendsa [-des3] -out <file.pem> <dsaparam-file> It's easy to understand that this command is generating a key using a dsa parameter file you previously created, but what may not be familiar is the [-des3] optioon. This is just an option to use for encrypting your private key. I've noticed that if you encrypt a key and use it with Apache upon bootup, the server will hang until it has the private key password. You can probably leave the option off as long as you make sure not to let the key be world readable (should be locked anyway if you followed my security advice at the beginning). EXAMPLE USAGE: openssl gendsa -des3 -out privkey.pem dsa_params.pem After you create a new private key, you need to generate a new certificate request, signed with your private key. A certificate request is what you give to your certificate authority (CA) to have them create a certificate and send back to you. Inside your certificate request, it will have information such as the issuer of the request, such as the country, state, company, email, etc. The request also has the private key, which is used by the CA to confirm your identity. Format of the req command for a new certificate: - openssl req -new -key <private_key.pem> -out <file.pem> EXAMPLE USAGE: openssl req -new -key privkey.pem -out cert_req.pem Now, if you wanted to just create a request and send it to a commercial CA, this is the point you should stop and follow the steps your CA provides for you. However, if you want to sign your own certificate request, because you are like me and only run personal servers and/or do not have the money to pay a CA, please continue reading. NOTE: Some CAs need requests/keys/etc to be in the DER format, not PEM. If this is the case, look through the relevant man pages (listed at the end) for help on the -outform -inform options. Now, the hardest step for me to learn at least, was, "How in the heck do I create a self-signed certificate, because I'm too damn poor to pay anyone else?" Well, to do that, you need to use the x509 command, which can actually do quite a few things, but we have only one purpose for it in this tutorial. Generally, the x509 expects an already signed certificate as the input file so it can resign it and update the signature; however, we must pass the -req option to it so it knows it's going to be reading in a certificate request and generating a new certificate for us. Format of the x509 command (for our purposes): - openssl x509 -req -in <file.pem> [-trustout] -signkey <key.pem> Notice the -trustout optioon: this makes your certificate not only a signed certificate, but a trusted signed certificate. I have absolutely no idea at this point in time between the differences and would REALLY appreciate it if anyone could inform me of such differences and when/why/how you would use both of them. Also, the -signkey option just tells x509 to create a new key in your newly signed certificate from a derivation off your private key. This makes a public/private key pair, with the public key in your new certificate. EXAMPLE USAGE: openssl x509 -req -in cert_req.pem -out cert.pem -trustout -signkey privkey.pem Other good reads from the manual pages: dsaparam(1) gendsa(1) req(1) x509(1) config(5ssl)