Re: ssl(8) kill "generating dsa server certificates"
I see. I guess people who really need DSA keys can figure this out from the general format of the other sections. Thanks for putting this into perspective. On Mon, 6 Jun 2016 14:57:54 +0100 Stuart Hendersonwrote: > On 2016/06/06 23:52, bytevolc...@safe-mail.net wrote: > > Whilst not a developer per se, I don't see any reason why omitting > > the documentation for a feature that is present is a good idea, > > unless the feature is/will be removed. > > The documentation is still in openssl(8). > > ssl(8) is a higher-level "how to setup TLS for your web/etc server" > and including non-useful things there just serves to confuse people. >
Re: ssl(8) kill "generating dsa server certificates"
yeah. nuke it On Monday, 6 June 2016, Stuart Hendersonwrote: > I don't think we should be encouraging anyone to do this...ok? > > Index: ssl.8 > === > RCS file: /cvs/src/share/man/man8/ssl.8,v > retrieving revision 1.63 > diff -u -p -r1.63 ssl.8 > --- ssl.8 8 Feb 2016 19:29:58 - 1.63 > +++ ssl.8 6 Jun 2016 12:38:26 - > @@ -112,38 +112,6 @@ you can switch to using the new certific > with the certificate signed by your Certificate Authority, and then > restarting > .Xr httpd 8 . > -.Sh GENERATING DSA SERVER CERTIFICATES > -Generating a DSA certificate involves several steps. > -First, generate parameters for DSA keys. > -The following command will generate 1024-bit keys: > -.Bd -literal -offset indent > -# openssl dsaparam 1024 -out dsa1024.pem > -.Ed > -.Pp > -Once you have the DSA parameters generated, you can generate a > -CSR and unencrypted private key using the command: > -.Bd -literal -offset indent > -# openssl req -nodes -newkey dsa:dsa1024.pem \e > - -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem > -.Ed > -.Pp > -To generate an encrypted private key, you would use: > -.Bd -literal -offset indent > -# openssl req -newkey dsa:dsa1024.pem \e > - -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem > -.Ed > -.Pp > -This > -.Pa server.csr > -file can then be given to a CA who will sign the key. > -.Pp > -You can also sign the key yourself, using the command: > -.Bd -literal -offset indent > -# openssl x509 -sha256 -req -days 365 \e > - -in /etc/ssl/private/dsacert.csr \e > - -signkey /etc/ssl/private/dsacert.key \e > - -out /etc/ssl/dsacert.crt > -.Ed > .Sh GENERATING ECDSA SERVER CERTIFICATES > First, generate parameters for ECDSA keys. > The following command will use a NIST/SECG curve over a 384-bit > >
Re: ssl(8) kill "generating dsa server certificates"
ok! Stuart Henderson(s...@spacehopper.org) on 2016.06.06 13:40:00 +0100: > I don't think we should be encouraging anyone to do this...ok? > > Index: ssl.8 > === > RCS file: /cvs/src/share/man/man8/ssl.8,v > retrieving revision 1.63 > diff -u -p -r1.63 ssl.8 > --- ssl.8 8 Feb 2016 19:29:58 - 1.63 > +++ ssl.8 6 Jun 2016 12:38:26 - > @@ -112,38 +112,6 @@ you can switch to using the new certific > with the certificate signed by your Certificate Authority, and then > restarting > .Xr httpd 8 . > -.Sh GENERATING DSA SERVER CERTIFICATES > -Generating a DSA certificate involves several steps. > -First, generate parameters for DSA keys. > -The following command will generate 1024-bit keys: > -.Bd -literal -offset indent > -# openssl dsaparam 1024 -out dsa1024.pem > -.Ed > -.Pp > -Once you have the DSA parameters generated, you can generate a > -CSR and unencrypted private key using the command: > -.Bd -literal -offset indent > -# openssl req -nodes -newkey dsa:dsa1024.pem \e > - -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem > -.Ed > -.Pp > -To generate an encrypted private key, you would use: > -.Bd -literal -offset indent > -# openssl req -newkey dsa:dsa1024.pem \e > - -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem > -.Ed > -.Pp > -This > -.Pa server.csr > -file can then be given to a CA who will sign the key. > -.Pp > -You can also sign the key yourself, using the command: > -.Bd -literal -offset indent > -# openssl x509 -sha256 -req -days 365 \e > - -in /etc/ssl/private/dsacert.csr \e > - -signkey /etc/ssl/private/dsacert.key \e > - -out /etc/ssl/dsacert.crt > -.Ed > .Sh GENERATING ECDSA SERVER CERTIFICATES > First, generate parameters for ECDSA keys. > The following command will use a NIST/SECG curve over a 384-bit > --
Re: ssl(8) kill "generating dsa server certificates"
On 2016/06/06 23:52, bytevolc...@safe-mail.net wrote: > Whilst not a developer per se, I don't see any reason why omitting the > documentation for a feature that is present is a good idea, unless the > feature is/will be removed. The documentation is still in openssl(8). ssl(8) is a higher-level "how to setup TLS for your web/etc server" and including non-useful things there just serves to confuse people.
Re: ssl(8) kill "generating dsa server certificates"
Whilst not a developer per se, I don't see any reason why omitting the documentation for a feature that is present is a good idea, unless the feature is/will be removed. Perhaps just something like this: Index: ssl.8 === RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.63 diff -u -p -r1.63 ssl.8 --- ssl.8 8 Feb 2016 19:29:58 - 1.63 +++ ssl.8 6 Jun 2016 12:38:26 - @@ -112,38 +112,6 @@ you can switch to using the new certific with the certificate signed by your Certificate Authority, and then restarting .Xr httpd 8 . -.Sh GENERATING DSA SERVER CERTIFICATES +.Sh GENERATING DSA SERVER CERTIFICATES (INSECURE; NOT RECOMMENDED!) On Mon, 6 Jun 2016 13:40:00 +0100 Stuart Hendersonwrote: > I don't think we should be encouraging anyone to do this...ok? > > Index: ssl.8 > === > RCS file: /cvs/src/share/man/man8/ssl.8,v > retrieving revision 1.63 > diff -u -p -r1.63 ssl.8 > --- ssl.8 8 Feb 2016 19:29:58 - 1.63 > +++ ssl.8 6 Jun 2016 12:38:26 - > @@ -112,38 +112,6 @@ you can switch to using the new certific > with the certificate signed by your Certificate Authority, and then > restarting > .Xr httpd 8 . > -.Sh GENERATING DSA SERVER CERTIFICATES > -Generating a DSA certificate involves several steps. > -First, generate parameters for DSA keys. > -The following command will generate 1024-bit keys: > -.Bd -literal -offset indent > -# openssl dsaparam 1024 -out dsa1024.pem > -.Ed > -.Pp > -Once you have the DSA parameters generated, you can generate a > -CSR and unencrypted private key using the command: > -.Bd -literal -offset indent > -# openssl req -nodes -newkey dsa:dsa1024.pem \e > - -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem > -.Ed > -.Pp > -To generate an encrypted private key, you would use: > -.Bd -literal -offset indent > -# openssl req -newkey dsa:dsa1024.pem \e > - -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem > -.Ed > -.Pp > -This > -.Pa server.csr > -file can then be given to a CA who will sign the key. > -.Pp > -You can also sign the key yourself, using the command: > -.Bd -literal -offset indent > -# openssl x509 -sha256 -req -days 365 \e > - -in /etc/ssl/private/dsacert.csr \e > - -signkey /etc/ssl/private/dsacert.key \e > - -out /etc/ssl/dsacert.crt > -.Ed > .Sh GENERATING ECDSA SERVER CERTIFICATES > First, generate parameters for ECDSA keys. > The following command will use a NIST/SECG curve over a 384-bit >
ssl(8) kill "generating dsa server certificates"
I don't think we should be encouraging anyone to do this...ok? Index: ssl.8 === RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.63 diff -u -p -r1.63 ssl.8 --- ssl.8 8 Feb 2016 19:29:58 - 1.63 +++ ssl.8 6 Jun 2016 12:38:26 - @@ -112,38 +112,6 @@ you can switch to using the new certific with the certificate signed by your Certificate Authority, and then restarting .Xr httpd 8 . -.Sh GENERATING DSA SERVER CERTIFICATES -Generating a DSA certificate involves several steps. -First, generate parameters for DSA keys. -The following command will generate 1024-bit keys: -.Bd -literal -offset indent -# openssl dsaparam 1024 -out dsa1024.pem -.Ed -.Pp -Once you have the DSA parameters generated, you can generate a -CSR and unencrypted private key using the command: -.Bd -literal -offset indent -# openssl req -nodes -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem -.Ed -.Pp -To generate an encrypted private key, you would use: -.Bd -literal -offset indent -# openssl req -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem -.Ed -.Pp -This -.Pa server.csr -file can then be given to a CA who will sign the key. -.Pp -You can also sign the key yourself, using the command: -.Bd -literal -offset indent -# openssl x509 -sha256 -req -days 365 \e - -in /etc/ssl/private/dsacert.csr \e - -signkey /etc/ssl/private/dsacert.key \e - -out /etc/ssl/dsacert.crt -.Ed .Sh GENERATING ECDSA SERVER CERTIFICATES First, generate parameters for ECDSA keys. The following command will use a NIST/SECG curve over a 384-bit