Automatic pull of documentation from Wiki.

svn path=/trunk/; revision=5480
author: RPKI Documentation Robot <docbot@rpki.net> 2013-08-31 07:00:25 +0000
committer: RPKI Documentation Robot <docbot@rpki.net> 2013-08-31 07:00:25 +0000
commit: fa0d5d3be4e9c2eb294f7611191705414016f725 (patch)
tree: 0ba29762a8d39085edd4f56b1293092674acec27
parent: 54ef9d5e4800f0fb88522319fddba20851bd41ff (diff)
2 files changed, 34 insertions, 5 deletions
diff --git a/doc/doc.RPKI.CA.Configuration.CreatingRoot b/doc/doc.RPKI.CA.Configuration.CreatingRoot
index 0a6c24a0..093dadce 100644
--- a/doc/doc.RPKI.CA.Configuration.CreatingRoot
+++ b/doc/doc.RPKI.CA.Configuration.CreatingRoot
@@ -43,21 +43,25 @@ this:
 Assuming you save this configuration in a file root.conf, you can use it to
 generate a root certificate as follows:
 
+  openssl genrsa -out root.key 2048
+
   openssl req                     \
           -new                    \
           -x509                   \
-          -newkey rsa:2048        \
           -config root.conf       \
-          -keyout root.key        \
-          -days 1825              \
-          -outform DER            \
-          -out root.cer           \
+          -key    root.key        \
+          -out    root.cer        \
+          -outform    DER         \
+          -days       1825        \
           -set_serial 1           \
           -extensions x509v3_extensions
 
 You may want to shorten the five year expiration time (1825 days), which is a
 bit long. It is a root certificate, so a long expiration is not unusual.
 
+When regenerating a certificate using the same key, just skip the openssl
+genrsa step above.
+
 You must copy the generated root.cer to the publication directory as defined in
 rpki.conf:
 
@@ -67,3 +71,28 @@ To create a TAL format trust anchor locator use the make-tal.sh script from
 $top/rcynic:
 
   $top/rcynic/make-tal.sh  rsync://example.org/rpki/root/root.cer  root.cer
+
+***** Converting an existing RSA key from PKCS #8 format *****
+
+If you previously generated a certificate using openssl req with the -newkey
+option and are having difficulty getting rootd to accept the resulting private
+key, the problem may be that OpenSSL saved the private key file in PKCS #8
+format. OpenSSL's behavior changed here, the -newkey option saved the key in
+PKCS #1 format, but newer versions use PKCS #8. While PKCS #8 is indeed likely
+an improvement, the change confuses some programs, including versions of rootd
+from before we discovered this problem.
+
+If you think this might be your problem, you can convert the existing private
+key to PKCS #1 format with a script like this:
+
+  if ! openssl rsa -in root.key -out root.key.new
+  then
+      echo Conversion failed
+      rm root.key.new
+  elif cmp -s root.key root.key.new
+      echo No change
+      rm root.key.new
+  else
+      echo Converted
+      mv root.key.new root.key
+  fi
diff --git a/doc/manual.pdf b/doc/manual.pdf
index 8085dea9..79defe72 100644
--- a/doc/manual.pdf
+++ b/doc/manual.pdf
author	RPKI Documentation Robot <docbot@rpki.net>	2013-08-31 07:00:25 +0000
committer	RPKI Documentation Robot <docbot@rpki.net>	2013-08-31 07:00:25 +0000
commit	fa0d5d3be4e9c2eb294f7611191705414016f725 (patch)
tree	0ba29762a8d39085edd4f56b1293092674acec27
parent	54ef9d5e4800f0fb88522319fddba20851bd41ff (diff)