Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: 30ab7af242
Branches Tags
openssl
/
doc
/
HOWTO
/
certificates.txt

certificates.txt 4.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 
  1. <DRAFT!>
    2. 

  2. 			HOWTO certificates
    3. 

  3. 

  4. 1. Introduction
    5. 

  5. 

  6. How you handle certificates depend a great deal on what your role is.
    7. 

  7. Your role can be one or several of:
    8. 

  8. 

  9.   - User of some client software
    10. 

  10.   - User of some server software
    11. 

  11.   - Certificate authority
    12. 

  12. 

  13. This file is for users who wish to get a certificate of their own.
    14. 

  14. Certificate authorities should read ca.txt.
    15. 

  15. 

  16. In all the cases shown below, the standard configuration file, as
    17. 

  17. compiled into openssl, will be used.  You may find it in /etc/,
    18. 

  18. /usr/local/ssl/ or somewhere else.  The name is openssl.cnf, and
    19. 

  19. is better described in another HOWTO <config.txt?>.  If you want to
    20. 

  20. use a different configuration file, use the argument '-config {file}'
    21. 

  21. with the command shown below.
    22. 

  22. 

  23. 

  24. 2. Relationship with keys
    25. 

  25. 

  26. Certificates are related to public key cryptography by containing a
    27. 

  27. public key.  To be useful, there must be a corresponding private key
    28. 

  28. somewhere.  With OpenSSL, public keys are easily derived from private
    29. 

  29. keys, so before you create a certificate or a certificate request, you
    30. 

  30. need to create a private key.
    31. 

  31. 

  32. Private keys are generated with 'openssl genrsa' if you want a RSA
    33. 

  33. private key, or 'openssl gendsa' if you want a DSA private key.
    34. 

  34. Further information on how to create private keys can be found in
    35. 

  35. another HOWTO <keys.txt?>.  The rest of this text assumes you have
    36. 

  36. a private key in the file privkey.pem.
    37. 

  37. 

  38. 

  39. 3. Creating a certificate request
    40. 

  40. 

  41. To create a certificate, you need to start with a certificate
    42. 

  42. request (or, as some certificate authorities like to put
    43. 

  43. it, "certificate signing request", since that's exactly what they do,
    44. 

  44. they sign it and give you the result back, thus making it authentic
    45. 

  45. according to their policies).  A certificate request can then be sent
    46. 

  46. to a certificate authority to get it signed into a certificate, or if
    47. 

  47. you have your own certificate authority, you may sign it yourself, or
    48. 

  48. if you need a self-signed certificate (because you just want a test
    49. 

  49. certificate or because you are setting up your own CA).
    50. 

  50. 

  51. The certificate request is created like this:
    52. 

  52. 

  53.   openssl req -new -key privkey.pem -out cert.csr
    54. 

  54. 

  55. Now, cert.csr can be sent to the certificate authority, if they can
    56. 

  56. handle files in PEM format.  If not, use the extra argument '-outform'
    57. 

  57. followed by the keyword for the format to use (see another HOWTO
    58. 

  58. <formats.txt?>).  In some cases, that isn't sufficient and you will
    59. 

  59. have to be more creative.
    60. 

  60. 

  61. When the certificate authority has then done the checks the need to
    62. 

  62. do (and probably gotten payment from you), they will hand over your
    63. 

  63. new certificate to you.
    64. 

  64. 

  65. Section 5 will tell you more on how to handle the certificate you
    66. 

  66. received.
    67. 

  67. 

  68. 

  69. 4. Creating a self-signed test certificate
    70. 

  70. 

  71. If you don't want to deal with another certificate authority, or just
    72. 

  72. want to create a test certificate for yourself.  This is similar to
    73. 

  73. creating a certificate request, but creates a certificate instead of
    74. 

  74. a certificate request.  This is NOT the recommended way to create a
    75. 

  75. CA certificate, see ca.txt.
    76. 

  76. 

  77.   openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
    78. 

  78. 

  79. 

  80. 5. What to do with the certificate
    81. 

  81. 

  82. If you created everything yourself, or if the certificate authority
    83. 

  83. was kind enough, your certificate is a raw DER thing in PEM format.
    84. 

  84. Your key most definitely is if you have followed the examples above.
    85. 

  85. However, some (most?) certificate authorities will encode them with
    86. 

  86. things like PKCS7 or PKCS12, or something else.  Depending on your
    87. 

  87. applications, this may be perfectly OK, it all depends on what they
    88. 

  88. know how to decode.  If not, There are a number of OpenSSL tools to
    89. 

  89. convert between some (most?) formats.
    90. 

  90. 

  91. So, depending on your application, you may have to convert your
    92. 

  92. certificate and your key to various formats, most often also putting
    93. 

  93. them together into one file.  The ways to do this is described in
    94. 

  94. another HOWTO <formats.txt?>, I will just mention the simplest case.
    95. 

  95. In the case of a raw DER thing in PEM format, and assuming that's all
    96. 

  96. right for yor applications, simply concatenating the certificate and
    97. 

  97. the key into a new file and using that one should be enough.  With
    98. 

  98. some applications, you don't even have to do that.
    99. 

  99. 

  100. 

  101. By now, you have your cetificate and your private key and can start
    102. 

  102. using the software that depend on it.
    103. 

  103. 

  104. -- 
    105. 

  105. Richard Levitte
    106.