FreeBSD Bugzilla – Attachment 155478 Details for
Bug 199379
[PATCH] Update SSL key generation to today's standards.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for openssl chapter in handbook.
openssl-chapter.diff.txt (text/plain), 5.04 KB, created by
roland
on 2015-04-11 14:50:29 UTC
(
hide
)
Description:
Patch for openssl chapter in handbook.
Filename:
MIME Type:
Creator:
roland
Created:
2015-04-11 14:50:29 UTC
Size:
5.04 KB
patch
obsolete
>Index: chapter.xml >=================================================================== >--- chapter.xml (revision 46515) >+++ chapter.xml (working copy) >@@ -1840,6 +1840,10 @@ > example of how to create a <acronym>CA</acronym> for signing > one's own certificates.</para> > >+ <para>For more information about SSL read the free <link >+ xlink:href="https://www.feistyduck.com/books/openssl-cookbook/"> >+ OpenSSL Cookbook</link>.</para> >+ > <sect2> > <title>Generating Certificates</title> > >@@ -1858,12 +1862,11 @@ > verifying the certificate will issue a warning to the user, > rendering the verification provided by the certificate as > useless.</para> >- >- <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput> >-Generating a 1024 bit RSA private key >-................++++++ >-.......................................++++++ >-writing new private key to 'cert.pem' >+ <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048</userinput> >+Generating a 2048 bit RSA private key >+..................+++ >+.............................................................+++ >+writing new private key to 'cert.key' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. >@@ -1882,7 +1885,7 @@ > > Please enter the following 'extra' attributes > to be sent with your certificate request >-A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput> >+A challenge password []: > An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen> > > <para>Other options, such as the expire time and alternate >@@ -1896,7 +1899,7 @@ > <acronym>CA</acronym> who will validate the entered > credentials, sign the request, and return the signed > certificate. The second file, >- <filename>cert.pem</filename>, is the private key for the >+ <filename>cert.key</filename>, is the private key for the > certificate and should be stored in a secure location. If > this falls in the hands of others, it can be used to > impersonate the user or the server.</para> >@@ -1905,29 +1908,17 @@ > is not required, a self-signed certificate can be created. > First, generate the <acronym>RSA</acronym> key:</para> > >- <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput> >+ <screen>&prompt.root; <userinput>openssl genrsa -rand -genkey -out cert.key 2048</userinput> > 0 semi-random bytes loaded >-Generating DSA parameters, 1024 bit long prime >-This could take some time >-.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* >-..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen> >+Generating RSA private key, 2048 bit long modulus >+.............................................+++ >+.................................................................................................................+++ >+e is 65537 (0x10001)</screen> > >- <para>Next, generate the <acronym>CA</acronym> key. When >- prompted, enter a passphrase between 4 to 1023 characters. >- Remember this passphrase as it is needed whenever the key is >- used to sign a certificate.</para> >+ <para>Use this key to create a self-signed certificate. >+ Follow the usual prompts for creating a certificate:</para> > >- <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput> >-Generating DSA key, 1024 bits >-Enter PEM pass phrase: >-Verifying - Enter PEM pass phrase:</screen> >- >- <para>Use this key to create a self-signed certificate. When >- prompted, enter the passphrase. Then follow the usual prompts >- for creating a certificate:</para> >- >- <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput> >-Enter pass phrase for myca.key: >+ <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256</userinput> > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. >@@ -1944,11 +1935,11 @@ > Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen> > > <para>This will create two new files in the current directory: a >- certificate authority signature file, >- <filename>myca.key</filename>, and the certificate itself, >- <filename>new.crt</filename>. These should be placed in a >- directory, preferably under <filename>/etc</filename>, which >- is readable only by <systemitem >+ private key file >+ <filename>cert.key</filename>, and the certificate itself, >+ <filename>cert.crt</filename>. These should be placed in a >+ directory, preferably under <filename>/etc/ssl/</filename>, >+ which is readable only by <systemitem > class="username">root</systemitem>. Permissions of > <literal>0700</literal> are appropriate for these files and > can be set using <command>chmod</command>.</para>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=155478">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 199379
: 155478