Re: ssl(8) cert generation instructions
Am 06.03.2013 um 19:23 schrieb Stefan Sperling s...@openbsd.org: On Wed, Mar 06, 2013 at 01:05:16PM +, Stuart Henderson wrote: It's not entirely obvious that -x509 actually means produce a csr, self-sign it (defaulting to SHA1), throw away the csr and write the cert and this had me stuck for a long time when I wanted to play with DSA server certs. So here's a diff which moves DSA cert generation instructions to the same style as RSA where the process is to produce a CSR and tell people how to sign it in separate steps. It doesn't take much longer and is clearer. As a bonus there are instructions for ECDSA cert generation. OK? I'd like to mention in passing that I got bitten recently by the default lifetime limit of just 30 days for certs. I created my own CA but could only use it for one month :( Same happened to me a while ago. Perhaps that could be mentioned. Or a -days option could be added to the example. I agree, please mention and add the option. Regards, Joerg
ssl(8) cert generation instructions
It's not entirely obvious that -x509 actually means produce a csr, self-sign it (defaulting to SHA1), throw away the csr and write the cert and this had me stuck for a long time when I wanted to play with DSA server certs. So here's a diff which moves DSA cert generation instructions to the same style as RSA where the process is to produce a CSR and tell people how to sign it in separate steps. It doesn't take much longer and is clearer. As a bonus there are instructions for ECDSA cert generation. OK? Index: ssl.8 === RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.53 diff -u -p -r1.53 ssl.8 --- ssl.8 27 Nov 2012 01:02:07 - 1.53 +++ ssl.8 6 Mar 2013 12:53:51 - @@ -150,18 +150,66 @@ The following command will generate 1024 # openssl dsaparam 1024 -out dsa1024.pem .Ed .Pp -Once you have the DSA parameters generated, you can generate a certificate -and unencrypted private key using the command: +Once you have the DSA parameters generated, you can generate a Certificate +Signing Request and unencrypted private key using the command: .Bd -literal -offset indent -# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -nodes -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem .Ed .Pp To generate an encrypted private key, you would use: .Bd -literal -offset indent -# openssl req -x509 -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem .Ed +.Pp +This +.Pa server.csr +file can then be given to a Certificate Authority who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/dsacert.csr \e + -signkey /etc/ssl/private/dsacert.key \e + -out /etc/ssl/dsacert.crt +.Ed +.Pp +.Sh GENERATING ECDSA SERVER CERTIFICATES +First, generate parameters for ECDSA keys. +The following command will use a NIST/SECG curve over a 384 bit +prime field: +.Bd -literal -offset indent +# openssl ecparam -out ec-secp384r1.pem -name secp384r1 +.Ed +.Pp +Once you have the ECDSA parameters generated, you can generate a self-signed +certificate and unencrypted private key using the command: +.Bd -literal -offset indent +# openssl req -nodes -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +To generate an encrypted private key, you would use: +.Bd -literal -offset indent +# openssl req -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +This +.Pa eccert.csr +file can then be given to a Certificate Authority who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/eccert.csr \e + -signkey /etc/ssl/private/eccert.key \e + -out /etc/ssl/eccert.crt +.Ed +.Pp .Sh USING SSL/TLS WITH SENDMAIL By default, .Xr sendmail 8
Re: ssl(8) cert generation instructions
On 2013/03/06 13:05, Stuart Henderson wrote: It's not entirely obvious that -x509 actually means produce a csr, self-sign it (defaulting to SHA1), throw away the csr and write the cert and this had me stuck for a long time when I wanted to play with DSA server certs. So here's a diff which moves DSA cert generation instructions to the same style as RSA where the process is to produce a CSR and tell people how to sign it in separate steps. It doesn't take much longer and is clearer. As a bonus there are instructions for ECDSA cert generation. OK? Tweaks from jmc and fix ..you can generate a self-signed certificate.. in the added text for ECDSA which should have been CSR. Index: ssl.8 === RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.53 diff -u -p -r1.53 ssl.8 --- ssl.8 27 Nov 2012 01:02:07 - 1.53 +++ ssl.8 6 Mar 2013 15:36:04 - @@ -150,17 +150,63 @@ The following command will generate 1024 # openssl dsaparam 1024 -out dsa1024.pem .Ed .Pp -Once you have the DSA parameters generated, you can generate a certificate -and unencrypted private key using the command: +Once you have the DSA parameters generated, you can generate a +CSR and unencrypted private key using the command: .Bd -literal -offset indent -# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -nodes -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem .Ed .Pp To generate an encrypted private key, you would use: .Bd -literal -offset indent -# openssl req -x509 -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem +.Ed +.Pp +This +.Pa server.csr +file can then be given to a CA who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/dsacert.csr \e + -signkey /etc/ssl/private/dsacert.key \e + -out /etc/ssl/dsacert.crt +.Ed +.Sh GENERATING ECDSA SERVER CERTIFICATES +First, generate parameters for ECDSA keys. +The following command will use a NIST/SECG curve over a 384-bit +prime field: +.Bd -literal -offset indent +# openssl ecparam -out ec-secp384r1.pem -name secp384r1 +.Ed +.Pp +Once you have the ECDSA parameters generated, you can generate a +CSR and unencrypted private key using the command: +.Bd -literal -offset indent +# openssl req -nodes -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +To generate an encrypted private key, you would use: +.Bd -literal -offset indent +# openssl req -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +This +.Pa eccert.csr +file can then be given to a CA who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/eccert.csr \e + -signkey /etc/ssl/private/eccert.key \e + -out /etc/ssl/eccert.crt .Ed .Sh USING SSL/TLS WITH SENDMAIL By default,
Re: ssl(8) cert generation instructions
On Wed, Mar 06, 2013 at 01:05:16PM +, Stuart Henderson wrote: It's not entirely obvious that -x509 actually means produce a csr, self-sign it (defaulting to SHA1), throw away the csr and write the cert and this had me stuck for a long time when I wanted to play with DSA server certs. So here's a diff which moves DSA cert generation instructions to the same style as RSA where the process is to produce a CSR and tell people how to sign it in separate steps. It doesn't take much longer and is clearer. As a bonus there are instructions for ECDSA cert generation. OK? I'd like to mention in passing that I got bitten recently by the default lifetime limit of just 30 days for certs. I created my own CA but could only use it for one month :( Perhaps that could be mentioned. Or a -days option could be added to the example.
