Lines 1840-1845
Link Here
|
1840 |
example of how to create a <acronym>CA</acronym> for signing |
1840 |
example of how to create a <acronym>CA</acronym> for signing |
1841 |
one's own certificates.</para> |
1841 |
one's own certificates.</para> |
1842 |
|
1842 |
|
|
|
1843 |
<para>For more information about SSL read the free <link |
1844 |
xlink:href="https://www.feistyduck.com/books/openssl-cookbook/"> |
1845 |
OpenSSL Cookbook</link>.</para> |
1846 |
|
1843 |
<sect2> |
1847 |
<sect2> |
1844 |
<title>Generating Certificates</title> |
1848 |
<title>Generating Certificates</title> |
1845 |
|
1849 |
|
Lines 1858-1869
Link Here
|
1858 |
verifying the certificate will issue a warning to the user, |
1862 |
verifying the certificate will issue a warning to the user, |
1859 |
rendering the verification provided by the certificate as |
1863 |
rendering the verification provided by the certificate as |
1860 |
useless.</para> |
1864 |
useless.</para> |
1861 |
|
1865 |
<screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048</userinput> |
1862 |
<screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput> |
1866 |
Generating a 2048 bit RSA private key |
1863 |
Generating a 1024 bit RSA private key |
1867 |
..................+++ |
1864 |
................++++++ |
1868 |
.............................................................+++ |
1865 |
.......................................++++++ |
1869 |
writing new private key to 'cert.key' |
1866 |
writing new private key to 'cert.pem' |
|
|
1867 |
----- |
1870 |
----- |
1868 |
You are about to be asked to enter information that will be incorporated |
1871 |
You are about to be asked to enter information that will be incorporated |
1869 |
into your certificate request. |
1872 |
into your certificate request. |
Lines 1882-1888
Link Here
|
1882 |
|
1885 |
|
1883 |
Please enter the following 'extra' attributes |
1886 |
Please enter the following 'extra' attributes |
1884 |
to be sent with your certificate request |
1887 |
to be sent with your certificate request |
1885 |
A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput> |
1888 |
A challenge password []: |
1886 |
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen> |
1889 |
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen> |
1887 |
|
1890 |
|
1888 |
<para>Other options, such as the expire time and alternate |
1891 |
<para>Other options, such as the expire time and alternate |
Lines 1896-1902
Link Here
|
1896 |
<acronym>CA</acronym> who will validate the entered |
1899 |
<acronym>CA</acronym> who will validate the entered |
1897 |
credentials, sign the request, and return the signed |
1900 |
credentials, sign the request, and return the signed |
1898 |
certificate. The second file, |
1901 |
certificate. The second file, |
1899 |
<filename>cert.pem</filename>, is the private key for the |
1902 |
<filename>cert.key</filename>, is the private key for the |
1900 |
certificate and should be stored in a secure location. If |
1903 |
certificate and should be stored in a secure location. If |
1901 |
this falls in the hands of others, it can be used to |
1904 |
this falls in the hands of others, it can be used to |
1902 |
impersonate the user or the server.</para> |
1905 |
impersonate the user or the server.</para> |
Lines 1905-1933
Link Here
|
1905 |
is not required, a self-signed certificate can be created. |
1908 |
is not required, a self-signed certificate can be created. |
1906 |
First, generate the <acronym>RSA</acronym> key:</para> |
1909 |
First, generate the <acronym>RSA</acronym> key:</para> |
1907 |
|
1910 |
|
1908 |
<screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput> |
1911 |
<screen>&prompt.root; <userinput>openssl genrsa -rand -genkey -out cert.key 2048</userinput> |
1909 |
0 semi-random bytes loaded |
1912 |
0 semi-random bytes loaded |
1910 |
Generating DSA parameters, 1024 bit long prime |
1913 |
Generating RSA private key, 2048 bit long modulus |
1911 |
This could take some time |
1914 |
.............................................+++ |
1912 |
.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* |
1915 |
.................................................................................................................+++ |
1913 |
..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen> |
1916 |
e is 65537 (0x10001)</screen> |
1914 |
|
1917 |
|
1915 |
<para>Next, generate the <acronym>CA</acronym> key. When |
1918 |
<para>Use this key to create a self-signed certificate. |
1916 |
prompted, enter a passphrase between 4 to 1023 characters. |
1919 |
Follow the usual prompts for creating a certificate:</para> |
1917 |
Remember this passphrase as it is needed whenever the key is |
|
|
1918 |
used to sign a certificate.</para> |
1919 |
|
1920 |
|
1920 |
<screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput> |
1921 |
<screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256</userinput> |
1921 |
Generating DSA key, 1024 bits |
|
|
1922 |
Enter PEM pass phrase: |
1923 |
Verifying - Enter PEM pass phrase:</screen> |
1924 |
|
1925 |
<para>Use this key to create a self-signed certificate. When |
1926 |
prompted, enter the passphrase. Then follow the usual prompts |
1927 |
for creating a certificate:</para> |
1928 |
|
1929 |
<screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput> |
1930 |
Enter pass phrase for myca.key: |
1931 |
You are about to be asked to enter information that will be incorporated |
1922 |
You are about to be asked to enter information that will be incorporated |
1932 |
into your certificate request. |
1923 |
into your certificate request. |
1933 |
What you are about to enter is what is called a Distinguished Name or a DN. |
1924 |
What you are about to enter is what is called a Distinguished Name or a DN. |
Lines 1944-1954
Link Here
|
1944 |
Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen> |
1935 |
Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen> |
1945 |
|
1936 |
|
1946 |
<para>This will create two new files in the current directory: a |
1937 |
<para>This will create two new files in the current directory: a |
1947 |
certificate authority signature file, |
1938 |
private key file |
1948 |
<filename>myca.key</filename>, and the certificate itself, |
1939 |
<filename>cert.key</filename>, and the certificate itself, |
1949 |
<filename>new.crt</filename>. These should be placed in a |
1940 |
<filename>cert.crt</filename>. These should be placed in a |
1950 |
directory, preferably under <filename>/etc</filename>, which |
1941 |
directory, preferably under <filename>/etc/ssl/</filename>, |
1951 |
is readable only by <systemitem |
1942 |
which is readable only by <systemitem |
1952 |
class="username">root</systemitem>. Permissions of |
1943 |
class="username">root</systemitem>. Permissions of |
1953 |
<literal>0700</literal> are appropriate for these files and |
1944 |
<literal>0700</literal> are appropriate for these files and |
1954 |
can be set using <command>chmod</command>.</para> |
1945 |
can be set using <command>chmod</command>.</para> |