[thirdparty/openssl.git] / doc / HOWTO / certificates.txt

<DRAFT!>
			HOWTO certificates

How you handle certificates depend a great deal on what your role is.
Your role can be one or several of:

  - User of some client software
  - User of some server software
  - Certificate authority

This file is for users who wish to get a certificate of their own.
Certificate authorities should read ca.txt.

In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used.  You may find it in /etc/,
/usr/local/ssr/ or somewhere else.  The name is openssl.cnf, and
is better described in another HOWTO <config.txt?>.  If you want to
use a different configuration file, use the argument '-config {file}'
with the command shown below.


Certificates are related to public key cryptography by containing a
public key.  To be useful, there must be a corresponding private key
somewhere.  With OpenSSL, public keys are easily derived from private
keys, so before you create a certificate or a certificate request, you
need to create a private key.

Private keys are generated with 'openssl genrsa' if you want a RSA
private key, or 'openssl gendsa' if you want a DSA private key.  More
info on how to handle these commands are found in the manual pages for
those commands or by running them with the argument '-h'.  For the
sake of the description in this file, let's assume that the private
key ended up in the file privkey.pem (which is the default in some
cases).


Let's start with the most normal way of getting a certificate.  Most
often, you want or need to get a certificate from a certificate
authority.  To handle that, the certificate authority needs a
certificate request (or, as some certificate authorities like to put
it, "certificate signing request", since that's exactly what they do,
they sign it and give you the result back, thus making it authentic
according to their policies) from you.  To generate a request, use the
command 'openssl req' like this:

  openssl req -new -key privkey.pem -out cert.csr

Now, cert.csr can be sent to the certificate authority, if they can
handle files in PEM format.  If not, use the extra argument '-outform'
followed by the keyword for the format to use (see another HOWTO
<formats.txt?>).  In some cases, that isn't sufficient and you will
have to be more creative.

When the certificate authority has then done the checks the need to
do (and probably gotten payment from you), they will hand over your
new certificate to you.


[fill in on how to create a self-signed certificate]


If you created everything yourself, or if the certificate authority
was kind enough, your certificate is a raw DER thing in PEM format.
Your key most definitely is if you have followed the examples above.
However, some (most?) certificate authorities will encode them with
things like PKCS7 or PKCS12, or something else.  Depending on your
applications, this may be perfectly OK, it all depends on what they
know how to decode.  If not, There are a number of OpenSSL tools to
convert between some (most?) formats.

So, depending on your application, you may have to convert your
certificate and your key to various formats, most often also putting
them together into one file.  The ways to do this is described in
another HOWTO <formats.txt?>, I will just mention the simplest case.
In the case of a raw DER thing in PEM format, and assuming that's all
right for yor applications, simply concatenating the certificate and
the key into a new file and using that one should be enough.  With
some applications, you don't even have to do that.


By now, you have your cetificate and your private key and can start
using the software that depend on it.

-- 
Richard Levitte
Commit	Line	Data
cf1b7d96	1	<DRAFT!>
862e973b RL	2	HOWTO certificates
	3
	4	How you handle certificates depend a great deal on what your role is.
	5	Your role can be one or several of:
	6
	7	- User of some client software
	8	- User of some server software
	9	- Certificate authority
	10
	11	This file is for users who wish to get a certificate of their own.
	12	Certificate authorities should read ca.txt.
	13
	14	In all the cases shown below, the standard configuration file, as
	15	compiled into openssl, will be used. You may find it in /etc/,
	16	/usr/local/ssr/ or somewhere else. The name is openssl.cnf, and
cf1b7d96	17	is better described in another HOWTO <config.txt?>. If you want to
862e973b RL	18	use a different configuration file, use the argument '-config {file}'
	19	with the command shown below.
	20
	21
	22	Certificates are related to public key cryptography by containing a
	23	public key. To be useful, there must be a corresponding private key
	24	somewhere. With OpenSSL, public keys are easily derived from private
	25	keys, so before you create a certificate or a certificate request, you
	26	need to create a private key.
	27
	28	Private keys are generated with 'openssl genrsa' if you want a RSA
	29	private key, or 'openssl gendsa' if you want a DSA private key. More
	30	info on how to handle these commands are found in the manual pages for
	31	those commands or by running them with the argument '-h'. For the
	32	sake of the description in this file, let's assume that the private
	33	key ended up in the file privkey.pem (which is the default in some
	34	cases).
	35
	36
	37	Let's start with the most normal way of getting a certificate. Most
	38	often, you want or need to get a certificate from a certificate
	39	authority. To handle that, the certificate authority needs a
	40	certificate request (or, as some certificate authorities like to put
	41	it, "certificate signing request", since that's exactly what they do,
	42	they sign it and give you the result back, thus making it authentic
	43	according to their policies) from you. To generate a request, use the
	44	command 'openssl req' like this:
	45
	46	openssl req -new -key privkey.pem -out cert.csr
	47
	48	Now, cert.csr can be sent to the certificate authority, if they can
	49	handle files in PEM format. If not, use the extra argument '-outform'
	50	followed by the keyword for the format to use (see another HOWTO
cf1b7d96	51	<formats.txt?>). In some cases, that isn't sufficient and you will
862e973b RL	52	have to be more creative.
	53
	54	When the certificate authority has then done the checks the need to
	55	do (and probably gotten payment from you), they will hand over your
	56	new certificate to you.
	57
	58
	59	[fill in on how to create a self-signed certificate]
	60
	61
	62	If you created everything yourself, or if the certificate authority
	63	was kind enough, your certificate is a raw DER thing in PEM format.
	64	Your key most definitely is if you have followed the examples above.
	65	However, some (most?) certificate authorities will encode them with
	66	things like PKCS7 or PKCS12, or something else. Depending on your
	67	applications, this may be perfectly OK, it all depends on what they
	68	know how to decode. If not, There are a number of OpenSSL tools to
	69	convert between some (most?) formats.
	70
	71	So, depending on your application, you may have to convert your
	72	certificate and your key to various formats, most often also putting
	73	them together into one file. The ways to do this is described in
cf1b7d96	74	another HOWTO <formats.txt?>, I will just mention the simplest case.
862e973b RL	75	In the case of a raw DER thing in PEM format, and assuming that's all
	76	right for yor applications, simply concatenating the certificate and
	77	the key into a new file and using that one should be enough. With
	78	some applications, you don't even have to do that.
	79
	80
	81	By now, you have your cetificate and your private key and can start
	82	using the software that depend on it.
	83
	84	--
	85	Richard Levitte