> From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
> Sent: Monday, 09 April, 2012 01:54
> I am newbie to OpenSSL. I am trying to understand how certificates
> are generated. I downloaded the samples and started understanding
> the "Makefile" that came with the sources.
FYI- this is *a* way of generating matching keys and certificates,
which is what you need, in OpenSSL. There are other methods.
> Below is my understanding so far
> $(OPENSSL) req -newkey rsa:1024 -sha1 -keyout serverkey.pem
> -out serverreq.pem -config server.cnf -reqexts req_extensions
> Here we are trying to create a RSA private key with Private
> Key file " serverkey.pem" and output file "serverreq.pem "
This creates an RSA key*pair* (private and public) which is stored
in CRT format in serverkey.pem, *and* a certficate signing request
aka CSR for the publickey half of that keypair in serverreq.pem.
Although theoretical RSA public and private keys can be distinct
with only (e,n) and (d,n), much better performance is obtained
by the CRT implementation which stores e,d,n,p,q plus more.
The publickey (e,n) is extracted from CRT format when needed.
(CRT here means Chinese Remainder Theorem.)
> $(OPENSSL) x509 -req -in serverreq.pem -sha1 -extfile server.cnf
> -extensions certificate_extensions -CA serverCA.pem -CAkey serverCA.pem
> -CAcreateserial -out servercert.pem
> Here we are creating a ServerCertificate which has the
> private key from serverreq.pem , signed by CA serverCA.pem using
> CA private key serverCA.pem
The cert has the *public*key from the CSR, plus other information.
It is signed by the CA's privatekey in serverCA.pem and is linked
"under" the CA's certificate (matching that CA privatekey) also in
serverCA.pem. (In many but not all cases, OpenSSL allows multiple
things to be stored in one .pem file. Other programs may not.)
> $(CAT) servercert.pem serverkey.pem serverCAcert.pem
> rootcert.pem > server.pem
> Not shure why we are doing here.
Assuming serverCAcert.pem contains the same cert as serverCA.pem
(but *not* the privatekey apparently also in serverCA.pem) and
rootcert.pem contains the root cert "over" serverCAcert.pem,
this puts the server's keypair, the cert for the server's key,
the CA cert "over" the server's cert (called an intermediate or
"chain" cert), and the root cert all in one file. Some servers
(can) use a single file like that to define together the (server)
key and cert with its chain they use for SSL/TLS handshake. Some
clients do the same if you use client auth, but that is rarer.
Technically the server doesn't need the root cert in this file.
Any root supplied by the server to the client during handshaking
is ignored; the client must use only a root configured locally.
But if you want a record of what root the server cert chain uses,
putting it in the file is a convenient and reliable way.
> Can some one explain me clearly above 3 commands.
> Also during Server Authentication , Server sends its certificate
> to the client which has the Public Key of the server. Here where is
> the Public Key generated?
As above; the publickey in the server cert came from the CSR, which
came from the server keypair generated and stored in the first step.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
