|
Lines 1840-1845
Link Here
|
| 1840 |
example of how to create a <acronym>CA</acronym> for signing |
1840 |
example of how to create a <acronym>CA</acronym> for signing |
| 1841 |
one's own certificates.</para> |
1841 |
one's own certificates.</para> |
| 1842 |
|
1842 |
|
|
|
1843 |
<para>For more information about SSL read the free <link |
| 1844 |
xlink:href="https://www.feistyduck.com/books/openssl-cookbook/"> |
| 1845 |
OpenSSL Cookbook</link>.</para> |
| 1846 |
|
| 1843 |
<sect2> |
1847 |
<sect2> |
| 1844 |
<title>Generating Certificates</title> |
1848 |
<title>Generating Certificates</title> |
| 1845 |
|
1849 |
|
|
Lines 1858-1869
Link Here
|
| 1858 |
verifying the certificate will issue a warning to the user, |
1862 |
verifying the certificate will issue a warning to the user, |
| 1859 |
rendering the verification provided by the certificate as |
1863 |
rendering the verification provided by the certificate as |
| 1860 |
useless.</para> |
1864 |
useless.</para> |
| 1861 |
|
1865 |
<screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048</userinput> |
| 1862 |
<screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput> |
1866 |
Generating a 2048 bit RSA private key |
| 1863 |
Generating a 1024 bit RSA private key |
1867 |
..................+++ |
| 1864 |
................++++++ |
1868 |
.............................................................+++ |
| 1865 |
.......................................++++++ |
1869 |
writing new private key to 'cert.key' |
| 1866 |
writing new private key to 'cert.pem' |
|
|
| 1867 |
----- |
1870 |
----- |
| 1868 |
You are about to be asked to enter information that will be incorporated |
1871 |
You are about to be asked to enter information that will be incorporated |
| 1869 |
into your certificate request. |
1872 |
into your certificate request. |
|
Lines 1882-1888
Link Here
|
| 1882 |
|
1885 |
|
| 1883 |
Please enter the following 'extra' attributes |
1886 |
Please enter the following 'extra' attributes |
| 1884 |
to be sent with your certificate request |
1887 |
to be sent with your certificate request |
| 1885 |
A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput> |
1888 |
A challenge password []: |
| 1886 |
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen> |
1889 |
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen> |
| 1887 |
|
1890 |
|
| 1888 |
<para>Other options, such as the expire time and alternate |
1891 |
<para>Other options, such as the expire time and alternate |
|
Lines 1896-1902
Link Here
|
| 1896 |
<acronym>CA</acronym> who will validate the entered |
1899 |
<acronym>CA</acronym> who will validate the entered |
| 1897 |
credentials, sign the request, and return the signed |
1900 |
credentials, sign the request, and return the signed |
| 1898 |
certificate. The second file, |
1901 |
certificate. The second file, |
| 1899 |
<filename>cert.pem</filename>, is the private key for the |
1902 |
<filename>cert.key</filename>, is the private key for the |
| 1900 |
certificate and should be stored in a secure location. If |
1903 |
certificate and should be stored in a secure location. If |
| 1901 |
this falls in the hands of others, it can be used to |
1904 |
this falls in the hands of others, it can be used to |
| 1902 |
impersonate the user or the server.</para> |
1905 |
impersonate the user or the server.</para> |
|
Lines 1905-1933
Link Here
|
| 1905 |
is not required, a self-signed certificate can be created. |
1908 |
is not required, a self-signed certificate can be created. |
| 1906 |
First, generate the <acronym>RSA</acronym> key:</para> |
1909 |
First, generate the <acronym>RSA</acronym> key:</para> |
| 1907 |
|
1910 |
|
| 1908 |
<screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput> |
1911 |
<screen>&prompt.root; <userinput>openssl genrsa -rand -genkey -out cert.key 2048</userinput> |
| 1909 |
0 semi-random bytes loaded |
1912 |
0 semi-random bytes loaded |
| 1910 |
Generating DSA parameters, 1024 bit long prime |
1913 |
Generating RSA private key, 2048 bit long modulus |
| 1911 |
This could take some time |
1914 |
.............................................+++ |
| 1912 |
.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* |
1915 |
.................................................................................................................+++ |
| 1913 |
..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen> |
1916 |
e is 65537 (0x10001)</screen> |
| 1914 |
|
1917 |
|
| 1915 |
<para>Next, generate the <acronym>CA</acronym> key. When |
1918 |
<para>Use this key to create a self-signed certificate. |
| 1916 |
prompted, enter a passphrase between 4 to 1023 characters. |
1919 |
Follow the usual prompts for creating a certificate:</para> |
| 1917 |
Remember this passphrase as it is needed whenever the key is |
|
|
| 1918 |
used to sign a certificate.</para> |
| 1919 |
|
1920 |
|
| 1920 |
<screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput> |
1921 |
<screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256</userinput> |
| 1921 |
Generating DSA key, 1024 bits |
|
|
| 1922 |
Enter PEM pass phrase: |
| 1923 |
Verifying - Enter PEM pass phrase:</screen> |
| 1924 |
|
| 1925 |
<para>Use this key to create a self-signed certificate. When |
| 1926 |
prompted, enter the passphrase. Then follow the usual prompts |
| 1927 |
for creating a certificate:</para> |
| 1928 |
|
| 1929 |
<screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput> |
| 1930 |
Enter pass phrase for myca.key: |
| 1931 |
You are about to be asked to enter information that will be incorporated |
1922 |
You are about to be asked to enter information that will be incorporated |
| 1932 |
into your certificate request. |
1923 |
into your certificate request. |
| 1933 |
What you are about to enter is what is called a Distinguished Name or a DN. |
1924 |
What you are about to enter is what is called a Distinguished Name or a DN. |
|
Lines 1944-1954
Link Here
|
| 1944 |
Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen> |
1935 |
Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen> |
| 1945 |
|
1936 |
|
| 1946 |
<para>This will create two new files in the current directory: a |
1937 |
<para>This will create two new files in the current directory: a |
| 1947 |
certificate authority signature file, |
1938 |
private key file |
| 1948 |
<filename>myca.key</filename>, and the certificate itself, |
1939 |
<filename>cert.key</filename>, and the certificate itself, |
| 1949 |
<filename>new.crt</filename>. These should be placed in a |
1940 |
<filename>cert.crt</filename>. These should be placed in a |
| 1950 |
directory, preferably under <filename>/etc</filename>, which |
1941 |
directory, preferably under <filename>/etc/ssl/</filename>, |
| 1951 |
is readable only by <systemitem |
1942 |
which is readable only by <systemitem |
| 1952 |
class="username">root</systemitem>. Permissions of |
1943 |
class="username">root</systemitem>. Permissions of |
| 1953 |
<literal>0700</literal> are appropriate for these files and |
1944 |
<literal>0700</literal> are appropriate for these files and |
| 1954 |
can be set using <command>chmod</command>.</para> |
1945 |
can be set using <command>chmod</command>.</para> |