]>
Commit | Line | Data |
---|---|---|
cf1b7d96 | 1 | <DRAFT!> |
862e973b RL |
2 | HOWTO certificates |
3 | ||
cdc5b4a4 RL |
4 | 1. Introduction |
5 | ||
67472bd8 | 6 | How you handle certificates depends a great deal on what your role is. |
862e973b RL |
7 | Your role can be one or several of: |
8 | ||
67472bd8 AM |
9 | - User of some client application |
10 | - User of some server application | |
862e973b RL |
11 | - Certificate authority |
12 | ||
13 | This file is for users who wish to get a certificate of their own. | |
67472bd8 | 14 | Certificate authorities should read https://www.openssl.org/docs/apps/ca.html. |
862e973b RL |
15 | |
16 | In all the cases shown below, the standard configuration file, as | |
17 | compiled into openssl, will be used. You may find it in /etc/, | |
67472bd8 AM |
18 | /usr/local/ssl/ or somewhere else. By default the file is named |
19 | openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. | |
20 | You can specify a different configuration file using the | |
21 | '-config {file}' argument with the commands shown below. | |
862e973b RL |
22 | |
23 | ||
cdc5b4a4 RL |
24 | 2. Relationship with keys |
25 | ||
862e973b RL |
26 | Certificates are related to public key cryptography by containing a |
27 | public key. To be useful, there must be a corresponding private key | |
28 | somewhere. With OpenSSL, public keys are easily derived from private | |
29 | keys, so before you create a certificate or a certificate request, you | |
30 | need to create a private key. | |
31 | ||
67472bd8 | 32 | Private keys are generated with 'openssl genrsa -out privkey.pem' if |
a63fa5f7 | 33 | you want an RSA private key, or if you want a DSA private key: |
67472bd8 AM |
34 | 'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'. |
35 | ||
36 | The private keys created by these commands are not passphrase protected; | |
37 | it might or might not be the desirable thing. Further information on how to | |
38 | create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. | |
39 | The rest of this text assumes you have a private key in the file privkey.pem. | |
cdc5b4a4 RL |
40 | |
41 | ||
42 | 3. Creating a certificate request | |
43 | ||
67472bd8 AM |
44 | To create a certificate, you need to start with a certificate request |
45 | (or, as some certificate authorities like to put it, "certificate | |
46 | signing request", since that's exactly what they do, they sign it and | |
47 | give you the result back, thus making it authentic according to their | |
48 | policies). A certificate request is sent to a certificate authority | |
49 | to get it signed into a certificate. You can also sign the certificate | |
50 | yourself if you have your own certificate authority or create a | |
c81b7b05 | 51 | self-signed certificate (typically for testing purposes). |
cdc5b4a4 | 52 | |
4ce4884a | 53 | The certificate request is created like this: |
862e973b RL |
54 | |
55 | openssl req -new -key privkey.pem -out cert.csr | |
56 | ||
57 | Now, cert.csr can be sent to the certificate authority, if they can | |
58 | handle files in PEM format. If not, use the extra argument '-outform' | |
59 | followed by the keyword for the format to use (see another HOWTO | |
67472bd8 AM |
60 | <formats.txt?>). In some cases, -outform does not let you output the |
61 | certificate request in the right format and you will have to use one | |
62 | of the various other commands that are exposed by openssl (or get | |
63 | creative and use a combination of tools). | |
862e973b | 64 | |
67472bd8 AM |
65 | The certificate authority performs various checks (according to their |
66 | policies) and usually waits for payment from you. Once that is | |
67 | complete, they send you your new certificate. | |
862e973b | 68 | |
cdc5b4a4 RL |
69 | Section 5 will tell you more on how to handle the certificate you |
70 | received. | |
71 | ||
72 | ||
16b1b035 | 73 | 4. Creating a self-signed test certificate |
cdc5b4a4 | 74 | |
67472bd8 AM |
75 | You can create a self-signed certificate if you don't want to deal |
76 | with a certificate authority, or if you just want to create a test | |
77 | certificate for yourself. This is similar to creating a certificate | |
78 | request, but creates a certificate instead of a certificate request. | |
79 | This is NOT the recommended way to create a CA certificate, see | |
80 | https://www.openssl.org/docs/apps/ca.html. | |
cdc5b4a4 | 81 | |
8152d887 | 82 | openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 |
862e973b | 83 | |
862e973b | 84 | |
cdc5b4a4 | 85 | 5. What to do with the certificate |
862e973b RL |
86 | |
87 | If you created everything yourself, or if the certificate authority | |
88 | was kind enough, your certificate is a raw DER thing in PEM format. | |
89 | Your key most definitely is if you have followed the examples above. | |
90 | However, some (most?) certificate authorities will encode them with | |
91 | things like PKCS7 or PKCS12, or something else. Depending on your | |
92 | applications, this may be perfectly OK, it all depends on what they | |
1d7f3350 | 93 | know how to decode. If not, there are a number of OpenSSL tools to |
862e973b RL |
94 | convert between some (most?) formats. |
95 | ||
96 | So, depending on your application, you may have to convert your | |
97 | certificate and your key to various formats, most often also putting | |
98 | them together into one file. The ways to do this is described in | |
cf1b7d96 | 99 | another HOWTO <formats.txt?>, I will just mention the simplest case. |
862e973b | 100 | In the case of a raw DER thing in PEM format, and assuming that's all |
67472bd8 | 101 | right for your applications, simply concatenating the certificate and |
862e973b RL |
102 | the key into a new file and using that one should be enough. With |
103 | some applications, you don't even have to do that. | |
104 | ||
105 | ||
67472bd8 AM |
106 | By now, you have your certificate and your private key and can start |
107 | using applications that depend on it. | |
862e973b | 108 | |
df443918 | 109 | -- |
862e973b | 110 | Richard Levitte |