subject:"ssl\(8\) kill \"generating dsa server certificates\""

Re: ssl(8) kill "generating dsa server certificates"

2016-06-06 Thread bytevolcano

I see. I guess people who really need DSA keys can figure
this out from the general format of the other sections.

Thanks for putting this into perspective.

On Mon, 6 Jun 2016 14:57:54 +0100
Stuart Henderson  wrote:

> On 2016/06/06 23:52, bytevolc...@safe-mail.net wrote:
> > Whilst not a developer per se, I don't see any reason why omitting
> > the documentation for a feature that is present is a good idea,
> > unless the feature is/will be removed.  
> 
> The documentation is still in openssl(8).
> 
> ssl(8) is a higher-level "how to setup TLS for your web/etc server"
> and including non-useful things there just serves to confuse people.
>

Re: ssl(8) kill "generating dsa server certificates"

2016-06-06 Thread Bob Beck

yeah. nuke it

On Monday, 6 June 2016, Stuart Henderson  wrote:

> I don't think we should be encouraging anyone to do this...ok?
>
> Index: ssl.8
> ===
> RCS file: /cvs/src/share/man/man8/ssl.8,v
> retrieving revision 1.63
> diff -u -p -r1.63 ssl.8
> --- ssl.8   8 Feb 2016 19:29:58 -   1.63
> +++ ssl.8   6 Jun 2016 12:38:26 -
> @@ -112,38 +112,6 @@ you can switch to using the new certific
>  with the certificate signed by your Certificate Authority, and then
>  restarting
>  .Xr httpd 8 .
> -.Sh GENERATING DSA SERVER CERTIFICATES
> -Generating a DSA certificate involves several steps.
> -First, generate parameters for DSA keys.
> -The following command will generate 1024-bit keys:
> -.Bd -literal -offset indent
> -# openssl dsaparam 1024 -out dsa1024.pem
> -.Ed
> -.Pp
> -Once you have the DSA parameters generated, you can generate a
> -CSR and unencrypted private key using the command:
> -.Bd -literal -offset indent
> -# openssl req -nodes -newkey dsa:dsa1024.pem \e
> -  -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
> -.Ed
> -.Pp
> -To generate an encrypted private key, you would use:
> -.Bd -literal -offset indent
> -# openssl req -newkey dsa:dsa1024.pem \e
> -  -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
> -.Ed
> -.Pp
> -This
> -.Pa server.csr
> -file can then be given to a CA who will sign the key.
> -.Pp
> -You can also sign the key yourself, using the command:
> -.Bd -literal -offset indent
> -# openssl x509 -sha256 -req -days 365 \e
> -  -in /etc/ssl/private/dsacert.csr \e
> -  -signkey /etc/ssl/private/dsacert.key \e
> -  -out /etc/ssl/dsacert.crt
> -.Ed
>  .Sh GENERATING ECDSA SERVER CERTIFICATES
>  First, generate parameters for ECDSA keys.
>  The following command will use a NIST/SECG curve over a 384-bit
>
>

Re: ssl(8) kill "generating dsa server certificates"

2016-06-06 Thread Sebastian Benoit

ok!

Stuart Henderson(s...@spacehopper.org) on 2016.06.06 13:40:00 +0100:
> I don't think we should be encouraging anyone to do this...ok?
> 
> Index: ssl.8
> ===
> RCS file: /cvs/src/share/man/man8/ssl.8,v
> retrieving revision 1.63
> diff -u -p -r1.63 ssl.8
> --- ssl.8 8 Feb 2016 19:29:58 -   1.63
> +++ ssl.8 6 Jun 2016 12:38:26 -
> @@ -112,38 +112,6 @@ you can switch to using the new certific
>  with the certificate signed by your Certificate Authority, and then
>  restarting
>  .Xr httpd 8 .
> -.Sh GENERATING DSA SERVER CERTIFICATES
> -Generating a DSA certificate involves several steps.
> -First, generate parameters for DSA keys.
> -The following command will generate 1024-bit keys:
> -.Bd -literal -offset indent
> -# openssl dsaparam 1024 -out dsa1024.pem
> -.Ed
> -.Pp
> -Once you have the DSA parameters generated, you can generate a
> -CSR and unencrypted private key using the command:
> -.Bd -literal -offset indent
> -# openssl req -nodes -newkey dsa:dsa1024.pem \e
> -  -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
> -.Ed
> -.Pp
> -To generate an encrypted private key, you would use:
> -.Bd -literal -offset indent
> -# openssl req -newkey dsa:dsa1024.pem \e
> -  -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
> -.Ed
> -.Pp
> -This
> -.Pa server.csr
> -file can then be given to a CA who will sign the key.
> -.Pp
> -You can also sign the key yourself, using the command:
> -.Bd -literal -offset indent
> -# openssl x509 -sha256 -req -days 365 \e
> -  -in /etc/ssl/private/dsacert.csr \e
> -  -signkey /etc/ssl/private/dsacert.key \e
> -  -out /etc/ssl/dsacert.crt
> -.Ed
>  .Sh GENERATING ECDSA SERVER CERTIFICATES
>  First, generate parameters for ECDSA keys.
>  The following command will use a NIST/SECG curve over a 384-bit
> 

--

Re: ssl(8) kill "generating dsa server certificates"

2016-06-06 Thread Stuart Henderson

On 2016/06/06 23:52, bytevolc...@safe-mail.net wrote:
> Whilst not a developer per se, I don't see any reason why omitting the
> documentation for a feature that is present is a good idea, unless the
> feature is/will be removed.

The documentation is still in openssl(8).

ssl(8) is a higher-level "how to setup TLS for your web/etc server"
and including non-useful things there just serves to confuse people.

Re: ssl(8) kill "generating dsa server certificates"

2016-06-06 Thread bytevolcano

Whilst not a developer per se, I don't see any reason why omitting the
documentation for a feature that is present is a good idea, unless the
feature is/will be removed.

Perhaps just something like this:

Index: ssl.8
===
RCS file: /cvs/src/share/man/man8/ssl.8,v
retrieving revision 1.63
diff -u -p -r1.63 ssl.8
--- ssl.8   8 Feb 2016 19:29:58 -   1.63
+++ ssl.8   6 Jun 2016 12:38:26 -
@@ -112,38 +112,6 @@ you can switch to using the new certific
 with the certificate signed by your Certificate Authority, and then
 restarting
 .Xr httpd 8 .
-.Sh GENERATING DSA SERVER CERTIFICATES
+.Sh GENERATING DSA SERVER CERTIFICATES (INSECURE; NOT RECOMMENDED!)

On Mon, 6 Jun 2016 13:40:00 +0100
Stuart Henderson  wrote:

> I don't think we should be encouraging anyone to do this...ok?
> 
> Index: ssl.8
> ===
> RCS file: /cvs/src/share/man/man8/ssl.8,v
> retrieving revision 1.63
> diff -u -p -r1.63 ssl.8
> --- ssl.8 8 Feb 2016 19:29:58 -   1.63
> +++ ssl.8 6 Jun 2016 12:38:26 -
> @@ -112,38 +112,6 @@ you can switch to using the new certific
>  with the certificate signed by your Certificate Authority, and then
>  restarting
>  .Xr httpd 8 .
> -.Sh GENERATING DSA SERVER CERTIFICATES
> -Generating a DSA certificate involves several steps.
> -First, generate parameters for DSA keys.
> -The following command will generate 1024-bit keys:
> -.Bd -literal -offset indent
> -# openssl dsaparam 1024 -out dsa1024.pem
> -.Ed
> -.Pp
> -Once you have the DSA parameters generated, you can generate a
> -CSR and unencrypted private key using the command:
> -.Bd -literal -offset indent
> -# openssl req -nodes -newkey dsa:dsa1024.pem \e
> -  -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
> -.Ed
> -.Pp
> -To generate an encrypted private key, you would use:
> -.Bd -literal -offset indent
> -# openssl req -newkey dsa:dsa1024.pem \e
> -  -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
> -.Ed
> -.Pp
> -This
> -.Pa server.csr
> -file can then be given to a CA who will sign the key.
> -.Pp
> -You can also sign the key yourself, using the command:
> -.Bd -literal -offset indent
> -# openssl x509 -sha256 -req -days 365 \e
> -  -in /etc/ssl/private/dsacert.csr \e
> -  -signkey /etc/ssl/private/dsacert.key \e
> -  -out /etc/ssl/dsacert.crt
> -.Ed
>  .Sh GENERATING ECDSA SERVER CERTIFICATES
>  First, generate parameters for ECDSA keys.
>  The following command will use a NIST/SECG curve over a 384-bit
>

ssl(8) kill "generating dsa server certificates"

2016-06-06 Thread Stuart Henderson

I don't think we should be encouraging anyone to do this...ok?

Index: ssl.8
===
RCS file: /cvs/src/share/man/man8/ssl.8,v
retrieving revision 1.63
diff -u -p -r1.63 ssl.8
--- ssl.8   8 Feb 2016 19:29:58 -   1.63
+++ ssl.8   6 Jun 2016 12:38:26 -
@@ -112,38 +112,6 @@ you can switch to using the new certific
 with the certificate signed by your Certificate Authority, and then
 restarting
 .Xr httpd 8 .
-.Sh GENERATING DSA SERVER CERTIFICATES
-Generating a DSA certificate involves several steps.
-First, generate parameters for DSA keys.
-The following command will generate 1024-bit keys:
-.Bd -literal -offset indent
-# openssl dsaparam 1024 -out dsa1024.pem
-.Ed
-.Pp
-Once you have the DSA parameters generated, you can generate a
-CSR and unencrypted private key using the command:
-.Bd -literal -offset indent
-# openssl req -nodes -newkey dsa:dsa1024.pem \e
-  -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
-.Ed
-.Pp
-To generate an encrypted private key, you would use:
-.Bd -literal -offset indent
-# openssl req -newkey dsa:dsa1024.pem \e
-  -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
-.Ed
-.Pp
-This
-.Pa server.csr
-file can then be given to a CA who will sign the key.
-.Pp
-You can also sign the key yourself, using the command:
-.Bd -literal -offset indent
-# openssl x509 -sha256 -req -days 365 \e
-  -in /etc/ssl/private/dsacert.csr \e
-  -signkey /etc/ssl/private/dsacert.key \e
-  -out /etc/ssl/dsacert.crt
-.Ed
 .Sh GENERATING ECDSA SERVER CERTIFICATES
 First, generate parameters for ECDSA keys.
 The following command will use a NIST/SECG curve over a 384-bit

Re: ssl(8) kill "generating dsa server certificates"

Re: ssl(8) kill "generating dsa server certificates"

Re: ssl(8) kill "generating dsa server certificates"

Re: ssl(8) kill "generating dsa server certificates"

Re: ssl(8) kill "generating dsa server certificates"

ssl(8) kill "generating dsa server certificates"

6 matches

Site Navigation

Mail list logo

Footer information