首頁 探索 說明
登入
OWEALs
/
openssl
镜像来自 git://git.openssl.org/openssl.git
2
0
複刻 0
檔案 問題管理 1 Wiki
目錄樹: c6738fd208
分支列表 標籤列表
openssl
/
doc
/
HOWTO
/
keys.txt

keys.txt 2.5 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. <DRAFT!>
    2. 

  2. 			HOWTO keys
    3. 

  3. 

  4. 1. Introduction
    5. 

  5. 

  6. Keys are the basis of public key algorithms and PKI.  Keys usually
    7. 

  7. come in pairs, with one half being the public key and the other half
    8. 

  8. being the private key.  With OpenSSL, the private key contains the
    9. 

  9. public key information as well, so a public key doesn't need to be
    10. 

  10. generated separately.
    11. 

  11. 

  12. Public keys come in several flavors, using different cryptographic
    13. 

  13. algorithms.  The most popular ones associated with certificates are
    14. 

  14. RSA and DSA, and this HOWTO will show how to generate each of them.
    15. 

  15. 

  16. 

  17. 2. To generate a RSA key
    18. 

  18. 

  19. A RSA key can be used both for encryption and for signing.
    20. 

  20. 

  21. Generating a key for the RSA algorithm is quite easy, all you have to
    22. 

  22. do is the following:
    23. 

  23. 

  24.   openssl genrsa -des3 -out privkey.pem 2048
    25. 

  25. 

  26. With this variant, you will be prompted for a protecting password.  If
    27. 

  27. you don't want your key to be protected by a password, remove the flag
    28. 

  28. '-des3' from the command line above.
    29. 

  29. 

  30.     NOTE: if you intend to use the key together with a server
    31. 

  31.     certificate, it may be a good thing to avoid protecting it
    32. 

  32.     with a password, since that would mean someone would have to
    33. 

  33.     type in the password every time the server needs to access
    34. 

  34.     the key.
    35. 

  35. 

  36. The number 2048 is the size of the key, in bits.  Today, 2048 or
    37. 

  37. higher is recommended for RSA keys, as fewer amount of bits is
    38. 

  38. consider insecure or to be insecure pretty soon.
    39. 

  39. 

  40. 

  41. 3. To generate a DSA key
    42. 

  42. 

  43. A DSA key can be used for signing only.  It is important to
    44. 

  44. know what a certificate request with a DSA key can really be used for.
    45. 

  45. 

  46. Generating a key for the DSA algorithm is a two-step process.  First,
    47. 

  47. you have to generate parameters from which to generate the key:
    48. 

  48. 

  49.   openssl dsaparam -out dsaparam.pem 2048
    50. 

  50. 

  51. The number 2048 is the size of the key, in bits.  Today, 2048 or
    52. 

  52. higher is recommended for DSA keys, as fewer amount of bits is
    53. 

  53. consider insecure or to be insecure pretty soon.
    54. 

  54. 

  55. When that is done, you can generate a key using the parameters in
    56. 

  56. question (actually, several keys can be generated from the same
    57. 

  57. parameters):
    58. 

  58. 

  59.   openssl gendsa -des3 -out privkey.pem dsaparam.pem
    60. 

  60. 

  61. With this variant, you will be prompted for a protecting password.  If
    62. 

  62. you don't want your key to be protected by a password, remove the flag
    63. 

  63. '-des3' from the command line above.
    64. 

  64. 

  65.     NOTE: if you intend to use the key together with a server
    66. 

  66.     certificate, it may be a good thing to avoid protecting it
    67. 

  67.     with a password, since that would mean someone would have to
    68. 

  68.     type in the password every time the server needs to access
    69. 

  69.     the key.
    70. 

  70. 

  71. -- 
    72. 

  72. Richard Levitte
    73.