FreeBSD Bugzilla – Attachment 145107 Details for
Bug 192225
Updates and corrections to OpenSSL section of the Handbook (14.6.1)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
diff with corrections
diff.txt (text/plain), 4.47 KB, created by
rsimmons0
on 2014-07-28 22:39:50 UTC
(
hide
)
Description:
diff with corrections
Filename:
MIME Type:
Creator:
rsimmons0
Created:
2014-07-28 22:39:50 UTC
Size:
4.47 KB
patch
obsolete
>--- chapter.xml-old 2014-07-28 14:45:41.000000000 -0400 >+++ chapter.xml 2014-07-28 18:28:16.000000000 -0400 >@@ -1859,11 +1859,12 @@ > rendering the verification provided by the certificate as > useless.</para> > >- <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput> >-Generating a 1024 bit RSA private key >+ <screen>&prompt.root; <userinput>touch key.pem && chmod 0600 key.pem</userinput> >+&prompt.root; <userinput>openssl req -newkey rsa:2048 -new -nodes -out req.pem -keyout key.pem</userinput> >+Generating a 2048 bit RSA private key > ................++++++ > .......................................++++++ >-writing new private key to 'cert.pem' >+writing new private key to 'key.pem' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. >@@ -1896,29 +1897,19 @@ > <acronym>CA</acronym> who will validate the entered > credentials, sign the request, and return the signed > certificate. The second file, >- <filename>cert.pem</filename>, is the private key for the >- certificate and should be stored in a secure location. If >- this falls in the hands of others, it can be used to >+ <filename>key.pem</filename>, is the private key for the >+ certificate and should be stored in a secure location. >+ If this falls in the hands of others, it can be used to > impersonate the user or the server.</para> > > <para>Alternately, if a signature from a <acronym>CA</acronym> > is not required, a self-signed certificate can be created. > First, generate the <acronym>RSA</acronym> key:</para> > >- <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput> >-0 semi-random bytes loaded >-Generating DSA parameters, 1024 bit long prime >-This could take some time >-.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* >-..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen> >- >- <para>Next, generate the <acronym>CA</acronym> key. When >- prompted, enter a passphrase between 4 to 1023 characters. >- Remember this passphrase as it is needed whenever the key is >- used to sign a certificate.</para> >- >- <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput> >-Generating DSA key, 1024 bits >+ <screen>&prompt.root; <userinput>touch key.pem && chmod 0600 key.pem</userinput> >+&prompt.root; <userinput>openssl genpkey -algorithm RSA -des3 -out key.pem -pkeyopt rsa_keygen_bits:2048</userinput> >+..............+++ >+...............+++ > Enter PEM pass phrase: > Verifying - Enter PEM pass phrase:</screen> > >@@ -1926,8 +1917,8 @@ > prompted, enter the passphrase. Then follow the usual prompts > for creating a certificate:</para> > >- <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput> >-Enter pass phrase for myca.key: >+ <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key key.pem -out cert.pem</userinput> >+Enter pass phrase for key.pem: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. >@@ -1943,15 +1934,14 @@ > Common Name (e.g. server FQDN or YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput> > Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen> > >- <para>This will create two new files in the current directory: a >- certificate authority signature file, >- <filename>myca.key</filename>, and the certificate itself, >- <filename>new.crt</filename>. These should be placed in a >- directory, preferably under <filename>/etc</filename>, which >- is readable only by <systemitem >- class="username">root</systemitem>. Permissions of >- <literal>0700</literal> are appropriate for these files and >- can be set using <command>chmod</command>.</para> >+ <para>This will create two new files in the current directory: >+ An RSA private key, <filename>key.pem</filename>, and the >+ self signed certificate, <filename>cert.pem</filename>. >+ These should be placed in a directory, preferably under >+ <filename>/etc/ssl</filename>, which is readable only by >+ <systemitem class="username">root</systemitem>. Permissions >+ of <literal>0600</literal> are appropriate for these files >+ and can be set using <command>chmod</command>.</para> > </sect2> > > <sect2>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=145107">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 192225
: 145107