Thanks Dave could you please elaborate below lines too
$(OPENSSL) req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem -config root.cnf $(OPENSSL) x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions certificate_extensions -signkey rootkey.pem -out rootcert.pem $(CAT) rootcert.pem rootkey.pem > root.pem $(OPENSSL) req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem -config serverCA.cnf $(OPENSSL) x509 -req -in serverCAreq.pem -sha1 -extfile serverCA.cnf -extensions certificate_extensions -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem $(CAT) serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem -Thanks mithun On Wed, Apr 11, 2012 at 1:45 AM, Dave Thompson <dthomp...@prinpay.com>wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar > > Sent: Monday, 09 April, 2012 01:54 > > > I am newbie to OpenSSL. I am trying to understand how certificates > > are generated. I downloaded the samples and started understanding > > the "Makefile" that came with the sources. > > FYI- this is *a* way of generating matching keys and certificates, > which is what you need, in OpenSSL. There are other methods. > > > Below is my understanding so far > > > $(OPENSSL) req -newkey rsa:1024 -sha1 -keyout serverkey.pem > > -out serverreq.pem -config server.cnf -reqexts req_extensions > > Here we are trying to create a RSA private key with Private > > Key file " serverkey.pem" and output file "serverreq.pem " > > This creates an RSA key*pair* (private and public) which is stored > in CRT format in serverkey.pem, *and* a certficate signing request > aka CSR for the publickey half of that keypair in serverreq.pem. > Although theoretical RSA public and private keys can be distinct > with only (e,n) and (d,n), much better performance is obtained > by the CRT implementation which stores e,d,n,p,q plus more. > The publickey (e,n) is extracted from CRT format when needed. > (CRT here means Chinese Remainder Theorem.) > > > $(OPENSSL) x509 -req -in serverreq.pem -sha1 -extfile server.cnf > > -extensions certificate_extensions -CA serverCA.pem -CAkey serverCA.pem > > -CAcreateserial -out servercert.pem > > Here we are creating a ServerCertificate which has the > > private key from serverreq.pem , signed by CA serverCA.pem using > > CA private key serverCA.pem > > The cert has the *public*key from the CSR, plus other information. > It is signed by the CA's privatekey in serverCA.pem and is linked > "under" the CA's certificate (matching that CA privatekey) also in > serverCA.pem. (In many but not all cases, OpenSSL allows multiple > things to be stored in one .pem file. Other programs may not.) > > > $(CAT) servercert.pem serverkey.pem serverCAcert.pem > > rootcert.pem > server.pem > > Not shure why we are doing here. > > Assuming serverCAcert.pem contains the same cert as serverCA.pem > (but *not* the privatekey apparently also in serverCA.pem) and > rootcert.pem contains the root cert "over" serverCAcert.pem, > this puts the server's keypair, the cert for the server's key, > the CA cert "over" the server's cert (called an intermediate or > "chain" cert), and the root cert all in one file. Some servers > (can) use a single file like that to define together the (server) > key and cert with its chain they use for SSL/TLS handshake. Some > clients do the same if you use client auth, but that is rarer. > > Technically the server doesn't need the root cert in this file. > Any root supplied by the server to the client during handshaking > is ignored; the client must use only a root configured locally. > But if you want a record of what root the server cert chain uses, > putting it in the file is a convenient and reliable way. > > > Can some one explain me clearly above 3 commands. > > Also during Server Authentication , Server sends its certificate > > to the client which has the Public Key of the server. Here where is > > the Public Key generated? > > As above; the publickey in the server cert came from the CSR, which > came from the server keypair generated and stored in the first step. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
