> From: Miguel [mailto:m...@moviquity.com] > Sent: Friday, 23 January, 2009 02:40 > To: dave.thomp...@princetonpayments.com > Subject: RE: generating private and public key with alias
It's better to reply on the list so that others can check me; added back. > so to generate the CA private Key, can I do it like this way? > prviate: > openssl dsaparam -genkey 1024 -out dsaprivatekey.pem Yes. (Assuming you want a new 1024-bit DSA key in a new group.) > public: > openssl req -new -x509 -days 1001 -key dsaprivatekey.pem -out ca.cert > although, if this is a self signed certificate, which one would be the public? I'm not sure what your question is here. The publickey is _generated_ with the privatekey, as part of the keypair. This step creates a certificate _containing_ the publickey. A certificate always contains a public key (for some entity), and often is itself published e.g. put on a directory server. Whether a certificate is selfsigned affects whether/how the relier decides to trust it, but not the fact it contains the publickey. Note that both openssl by default and keytool generate certificates that are NOT flagged as CA certs (in BasicConstraints, or KeyUsage). If you use this cert&key in openssl ca to sign a child cert and then (attempt to) use it, _some_ verifiers may reject on the ground that the parent cert is not a valid CA cert. If your verifier is picky, you need to create the CA (selfsigned) cert using openssl req with a config file specifying the needed extensions; the distributed (and hopefully installed on your system) openssl.cnf is a good starting point and guide. > and, how is the similar way to get the public and private key using keytool? At least as of recent Java (JRE) versions, keytool -genkeypair [-keyalg DSA -validity d -alias n -keystore f -storepass p] generates BOTH a DSA-1024 keypair AND a selfsigned cert for it (in one command) and puts them in the keystore under the alias. You can get a copy of the cert out (to a file, or stdout) with keytool -exportcert [-file f -alias n -keystore f -storepass p] . The default format is DER, which openssl can handle if you tell it, but a human cannot easily recognize; use -rfc to get PEM format, which is easier to look at, safer to transport in some situations, and the default for openssl. If you really want the publickey alone (not contained in a cert), openssl can extract it from the cert with openssl x509 -in cert [-inform DER] -noout -pubkey [ > key.pem ] I believe the only way to get out the privatekey with keytool is to create a pkcs12-type keystore (separate from your normal one) and import the desired entry into that. But on my system at present this creates a p12 that neither openssl pkcs12 or keytool can recover -- at least not the shrouded-keybag portion, which is the important one. I may have a bad version of something but don't have time to investigate. I don't know of any standard/builtin Java utility that does CA functionality, i.e. uses a key&cert to generate/sign child certs, so having a "CA" key&cert in the Java keystore may be worthless. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
