Re: openssl

Wed, 02 Oct 2002 10:06:56 -0700 

from the ssl manpage

GENERATING DSA SERVER CERTIFICATES
     Generating a DSA certificate involves several steps.  First, you 
generate
     a DSA parameter set with a command like the following:

           # openssl dsaparam 1024 -out dsa1024.pem

     Would generate DSA parameters for 1024 bit DSA keys, and save them to 
the
     file dsa1024.pem.

     Once you have the DSA parameters generated, you can generate a 
certifi-
     cate and unencrypted private key using the command:

           # openssl req -x509 -nodes -newkey dsa:dsa1024.pem \
             -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem

     To generate an encrypted private key, you would use:

           # openssl req -x509 -newkey dsa:dsa1024.pem \
             -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem


GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS
     To support https transactions in httpd(8) you will need to generate 
an
     RSA certificate.

           # openssl genrsa -out /etc/ssl/private/server.key 1024

     Or, if you wish the key to be encrypted with a passphrase that you 
will
     have to type in when starting servers

           # openssl genrsa -des3 -out /etc/ssl/private/server.key 1024

     The next step is to generate a Certificate Signing Request which is 
used
     to get a Certifying Authority (CA) to sign your certificate.  To do 
this
     use the command:

           # openssl req -new -key /etc/ssl/private/server.key \
             -out /etc/ssl/private/server.csr
This server.csr file can then be given to Certifying Authority who will
     sign the key.  One such CA is Thawte Certification which you can 
reach at
     http://www.thawte.com/. Thawte can currently sign RSA keys for you.  
A
     procedure is being worked out to allow for DSA keys.

     You can also sign the key yourself, using the command:

           # openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
             -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

     With /etc/ssl/server.crt and /etc/ssl/private/server.key in place, 
you
     should be able to start httpd(8) with the -DSSL flag, enabling https
     transactions with your machine on port 443.


Is that what you were looking for?




On Wed, 25 Sep 2002, Jacques B. Siboni wrote:

> Hi all,
> 
> I am trying to install a clean configuration of OpenSSL. Do you know of a
> comprehensive documentation which explains a step by step configuration
> process?
> 
> So far I use the man pages, they are not a guide; and the SSL certificate
> howto, but it is not complete enough yet.
> 
> Thanks in advance
> 
> Jacques
> 
> -- 
> Dr. Jacques B. Siboni mailto:[EMAIL PROTECTED]
> 8 pass. Charles Albert, F75018 Paris, France
> Tel. & Fax: 33 (0) 1 42 28 76 78
> Home Page: http://www.lutecium.org/jacsib/
>

Reply via email to