]>
Commit | Line | Data |
---|---|---|
cf1b7d96 | 1 | <DRAFT!> |
862e973b RL |
2 | HOWTO certificates |
3 | ||
4 | How you handle certificates depend a great deal on what your role is. | |
5 | Your role can be one or several of: | |
6 | ||
7 | - User of some client software | |
8 | - User of some server software | |
9 | - Certificate authority | |
10 | ||
11 | This file is for users who wish to get a certificate of their own. | |
12 | Certificate authorities should read ca.txt. | |
13 | ||
14 | In all the cases shown below, the standard configuration file, as | |
15 | compiled into openssl, will be used. You may find it in /etc/, | |
16 | /usr/local/ssr/ or somewhere else. The name is openssl.cnf, and | |
cf1b7d96 | 17 | is better described in another HOWTO <config.txt?>. If you want to |
862e973b RL |
18 | use a different configuration file, use the argument '-config {file}' |
19 | with the command shown below. | |
20 | ||
21 | ||
22 | Certificates are related to public key cryptography by containing a | |
23 | public key. To be useful, there must be a corresponding private key | |
24 | somewhere. With OpenSSL, public keys are easily derived from private | |
25 | keys, so before you create a certificate or a certificate request, you | |
26 | need to create a private key. | |
27 | ||
28 | Private keys are generated with 'openssl genrsa' if you want a RSA | |
29 | private key, or 'openssl gendsa' if you want a DSA private key. More | |
30 | info on how to handle these commands are found in the manual pages for | |
31 | those commands or by running them with the argument '-h'. For the | |
32 | sake of the description in this file, let's assume that the private | |
33 | key ended up in the file privkey.pem (which is the default in some | |
34 | cases). | |
35 | ||
36 | ||
37 | Let's start with the most normal way of getting a certificate. Most | |
38 | often, you want or need to get a certificate from a certificate | |
39 | authority. To handle that, the certificate authority needs a | |
40 | certificate request (or, as some certificate authorities like to put | |
41 | it, "certificate signing request", since that's exactly what they do, | |
42 | they sign it and give you the result back, thus making it authentic | |
43 | according to their policies) from you. To generate a request, use the | |
44 | command 'openssl req' like this: | |
45 | ||
46 | openssl req -new -key privkey.pem -out cert.csr | |
47 | ||
48 | Now, cert.csr can be sent to the certificate authority, if they can | |
49 | handle files in PEM format. If not, use the extra argument '-outform' | |
50 | followed by the keyword for the format to use (see another HOWTO | |
cf1b7d96 | 51 | <formats.txt?>). In some cases, that isn't sufficient and you will |
862e973b RL |
52 | have to be more creative. |
53 | ||
54 | When the certificate authority has then done the checks the need to | |
55 | do (and probably gotten payment from you), they will hand over your | |
56 | new certificate to you. | |
57 | ||
58 | ||
59 | [fill in on how to create a self-signed certificate] | |
60 | ||
61 | ||
62 | If you created everything yourself, or if the certificate authority | |
63 | was kind enough, your certificate is a raw DER thing in PEM format. | |
64 | Your key most definitely is if you have followed the examples above. | |
65 | However, some (most?) certificate authorities will encode them with | |
66 | things like PKCS7 or PKCS12, or something else. Depending on your | |
67 | applications, this may be perfectly OK, it all depends on what they | |
68 | know how to decode. If not, There are a number of OpenSSL tools to | |
69 | convert between some (most?) formats. | |
70 | ||
71 | So, depending on your application, you may have to convert your | |
72 | certificate and your key to various formats, most often also putting | |
73 | them together into one file. The ways to do this is described in | |
cf1b7d96 | 74 | another HOWTO <formats.txt?>, I will just mention the simplest case. |
862e973b RL |
75 | In the case of a raw DER thing in PEM format, and assuming that's all |
76 | right for yor applications, simply concatenating the certificate and | |
77 | the key into a new file and using that one should be enough. With | |
78 | some applications, you don't even have to do that. | |
79 | ||
80 | ||
81 | By now, you have your cetificate and your private key and can start | |
82 | using the software that depend on it. | |
83 | ||
84 | -- | |
85 | Richard Levitte |