diff options
author | Richard Levitte <levitte@openssl.org> | 2003-01-14 16:42:16 +0100 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2003-01-14 16:42:16 +0100 |
commit | cdc5b4a41ebc0a6d088887cdfefdd632534969ff (patch) | |
tree | 2b172abd324ff5400de61cddd7231897d0e0ce96 /doc/HOWTO/keys.txt | |
parent | Document hpux-parisc2-cc problems, probably due to optimizer bug. (diff) | |
download | openssl-cdc5b4a41ebc0a6d088887cdfefdd632534969ff.tar.xz openssl-cdc5b4a41ebc0a6d088887cdfefdd632534969ff.zip |
Extend the HOWTO on creating certificates, and add a HOWTO in creating keys.
PR: 422
Diffstat (limited to 'doc/HOWTO/keys.txt')
-rw-r--r-- | doc/HOWTO/keys.txt | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/doc/HOWTO/keys.txt b/doc/HOWTO/keys.txt new file mode 100644 index 0000000000..45f42eaaf1 --- /dev/null +++ b/doc/HOWTO/keys.txt @@ -0,0 +1,73 @@ +<DRAFT!> + HOWTO keys + +1. Introduction + +Keys are the basis of public key algorithms and PKI. Keys usually +come in pairs, with one half being the public key and the other half +being the private key. With OpenSSL, the private key contains the +public key information as well, so a public key doesn't need to be +generated separately. + +Public keys come in several flavors, using different cryptographic +algorithms. The most popular ones associated with certificates are +RSA and DSA, and this HOWTO will show how to generate each of them. + + +2. To generate a RSA key + +A RSA key can be used both for encryption and for signing. + +Generating a key for the RSA algorithm is quite easy, all you have to +do is the following: + + openssl genrsa -des3 -out privkey.pem 2048 + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + NOTE: if you intend to use the key together with a server + certificate, it may be a good thing to avoid protecting it + with a password, since that would mean someone would have to + type in the password every time the server needs to access + the key. + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for RSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + + +3. To generate a DSA key + +A DSA key can be used both for signing only. This is important to +keep in mind to know what kind of purposes a certificate request with +a DSA key can really be used for. + +Generating a key for the DSA algorithm is a two-step process. First, +you have to generate parameters from which to generate the key: + + openssl dsaparam -out dsaparam.pem 2048 + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for DSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + +When that is done, you can generate a key using the parameters in +question (actually, several keys can be generated from the same +parameters): + + openssl gendsa -des3 -out privkey.pem dsaparam.pem + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + NOTE: if you intend to use the key together with a server + certificate, it may be a good thing to avoid protecting it + with a password, since that would mean someone would have to + type in the password every time the server needs to access + the key. + +-- +Richard Levitte |