| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | <DRAFT!> |
| 2 | HOWTO certificates |
| 3 | |
| 4 | 1. Introduction |
| 5 | |
| 6 | How you handle certificates depends a great deal on what your role is. |
| 7 | Your role can be one or several of: |
| 8 | |
| 9 | - User of some client application |
| 10 | - User of some server application |
| 11 | - Certificate authority |
| 12 | |
| 13 | This file is for users who wish to get a certificate of their own. |
| 14 | Certificate authorities should read https://www.openssl.org/docs/apps/ca.html. |
| 15 | |
| 16 | In all the cases shown below, the standard configuration file, as |
| 17 | compiled into openssl, will be used. You may find it in /etc/, |
| 18 | /usr/local/ssl/ or somewhere else. By default the file is named |
| 19 | openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. |
| 20 | You can specify a different configuration file using the |
| 21 | '-config {file}' argument with the commands shown below. |
| 22 | |
| 23 | |
| 24 | 2. Relationship with keys |
| 25 | |
| 26 | Certificates are related to public key cryptography by containing a |
| 27 | public key. To be useful, there must be a corresponding private key |
| 28 | somewhere. With OpenSSL, public keys are easily derived from private |
| 29 | keys, so before you create a certificate or a certificate request, you |
| 30 | need to create a private key. |
| 31 | |
| 32 | Private keys are generated with 'openssl genrsa -out privkey.pem' if |
| 33 | you want a RSA private key, or if you want a DSA private key: |
| 34 | 'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'. |
| 35 | |
| 36 | The private keys created by these commands are not passphrase protected; |
| 37 | it might or might not be the desirable thing. Further information on how to |
| 38 | create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. |
| 39 | The rest of this text assumes you have a private key in the file privkey.pem. |
| 40 | |
| 41 | |
| 42 | 3. Creating a certificate request |
| 43 | |
| 44 | To create a certificate, you need to start with a certificate request |
| 45 | (or, as some certificate authorities like to put it, "certificate |
| 46 | signing request", since that's exactly what they do, they sign it and |
| 47 | give you the result back, thus making it authentic according to their |
| 48 | policies). A certificate request is sent to a certificate authority |
| 49 | to get it signed into a certificate. You can also sign the certificate |
| 50 | yourself if you have your own certificate authority or create a |
| 51 | self-signed certificate (typically for testing purpose). |
| 52 | |
| 53 | The certificate request is created like this: |
| 54 | |
| 55 | openssl req -new -key privkey.pem -out cert.csr |
| 56 | |
| 57 | Now, cert.csr can be sent to the certificate authority, if they can |
| 58 | handle files in PEM format. If not, use the extra argument '-outform' |
| 59 | followed by the keyword for the format to use (see another HOWTO |
| 60 | <formats.txt?>). In some cases, -outform does not let you output the |
| 61 | certificate request in the right format and you will have to use one |
| 62 | of the various other commands that are exposed by openssl (or get |
| 63 | creative and use a combination of tools). |
| 64 | |
| 65 | The certificate authority performs various checks (according to their |
| 66 | policies) and usually waits for payment from you. Once that is |
| 67 | complete, they send you your new certificate. |
| 68 | |
| 69 | Section 5 will tell you more on how to handle the certificate you |
| 70 | received. |
| 71 | |
| 72 | |
| 73 | 4. Creating a self-signed test certificate |
| 74 | |
| 75 | You can create a self-signed certificate if you don't want to deal |
| 76 | with a certificate authority, or if you just want to create a test |
| 77 | certificate for yourself. This is similar to creating a certificate |
| 78 | request, but creates a certificate instead of a certificate request. |
| 79 | This is NOT the recommended way to create a CA certificate, see |
| 80 | https://www.openssl.org/docs/apps/ca.html. |
| 81 | |
| 82 | openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 |
| 83 | |
| 84 | |
| 85 | 5. What to do with the certificate |
| 86 | |
| 87 | If you created everything yourself, or if the certificate authority |
| 88 | was kind enough, your certificate is a raw DER thing in PEM format. |
| 89 | Your key most definitely is if you have followed the examples above. |
| 90 | However, some (most?) certificate authorities will encode them with |
| 91 | things like PKCS7 or PKCS12, or something else. Depending on your |
| 92 | applications, this may be perfectly OK, it all depends on what they |
| 93 | know how to decode. If not, there are a number of OpenSSL tools to |
| 94 | convert between some (most?) formats. |
| 95 | |
| 96 | So, depending on your application, you may have to convert your |
| 97 | certificate and your key to various formats, most often also putting |
| 98 | them together into one file. The ways to do this is described in |
| 99 | another HOWTO <formats.txt?>, I will just mention the simplest case. |
| 100 | In the case of a raw DER thing in PEM format, and assuming that's all |
| 101 | right for your applications, simply concatenating the certificate and |
| 102 | the key into a new file and using that one should be enough. With |
| 103 | some applications, you don't even have to do that. |
| 104 | |
| 105 | |
| 106 | By now, you have your certificate and your private key and can start |
| 107 | using applications that depend on it. |
| 108 | |
| 109 | -- |
| 110 | Richard Levitte |