diff options
Diffstat (limited to 'openssl/trunk/doc/HOWTO/certificates.txt')
| -rw-r--r-- | openssl/trunk/doc/HOWTO/certificates.txt | 105 |
1 files changed, 0 insertions, 105 deletions
diff --git a/openssl/trunk/doc/HOWTO/certificates.txt b/openssl/trunk/doc/HOWTO/certificates.txt deleted file mode 100644 index a8a34c7a..00000000 --- a/openssl/trunk/doc/HOWTO/certificates.txt +++ /dev/null @@ -1,105 +0,0 @@ -<DRAFT!> - HOWTO certificates - -1. Introduction - -How you handle certificates depend a great deal on what your role is. -Your role can be one or several of: - - - User of some client software - - User of some server software - - Certificate authority - -This file is for users who wish to get a certificate of their own. -Certificate authorities should read ca.txt. - -In all the cases shown below, the standard configuration file, as -compiled into openssl, will be used. You may find it in /etc/, -/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and -is better described in another HOWTO <config.txt?>. If you want to -use a different configuration file, use the argument '-config {file}' -with the command shown below. - - -2. Relationship with keys - -Certificates are related to public key cryptography by containing a -public key. To be useful, there must be a corresponding private key -somewhere. With OpenSSL, public keys are easily derived from private -keys, so before you create a certificate or a certificate request, you -need to create a private key. - -Private keys are generated with 'openssl genrsa' if you want a RSA -private key, or 'openssl gendsa' if you want a DSA private key. -Further information on how to create private keys can be found in -another HOWTO <keys.txt?>. The rest of this text assumes you have -a private key in the file privkey.pem. - - -3. Creating a certificate request - -To create a certificate, you need to start with a certificate -request (or, as some certificate authorities like to put -it, "certificate signing request", since that's exactly what they do, -they sign it and give you the result back, thus making it authentic -according to their policies). A certificate request can then be sent -to a certificate authority to get it signed into a certificate, or if -you have your own certificate authority, you may sign it yourself, or -if you need a self-signed certificate (because you just want a test -certificate or because you are setting up your own CA). - -The certificate request is created like this: - - openssl req -new -key privkey.pem -out cert.csr - -Now, cert.csr can be sent to the certificate authority, if they can -handle files in PEM format. If not, use the extra argument '-outform' -followed by the keyword for the format to use (see another HOWTO -<formats.txt?>). In some cases, that isn't sufficient and you will -have to be more creative. - -When the certificate authority has then done the checks the need to -do (and probably gotten payment from you), they will hand over your -new certificate to you. - -Section 5 will tell you more on how to handle the certificate you -received. - - -4. Creating a self-signed test certificate - -If you don't want to deal with another certificate authority, or just -want to create a test certificate for yourself. This is similar to -creating a certificate request, but creates a certificate instead of -a certificate request. This is NOT the recommended way to create a -CA certificate, see ca.txt. - - openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 - - -5. What to do with the certificate - -If you created everything yourself, or if the certificate authority -was kind enough, your certificate is a raw DER thing in PEM format. -Your key most definitely is if you have followed the examples above. -However, some (most?) certificate authorities will encode them with -things like PKCS7 or PKCS12, or something else. Depending on your -applications, this may be perfectly OK, it all depends on what they -know how to decode. If not, There are a number of OpenSSL tools to -convert between some (most?) formats. - -So, depending on your application, you may have to convert your -certificate and your key to various formats, most often also putting -them together into one file. The ways to do this is described in -another HOWTO <formats.txt?>, I will just mention the simplest case. -In the case of a raw DER thing in PEM format, and assuming that's all -right for yor applications, simply concatenating the certificate and -the key into a new file and using that one should be enough. With -some applications, you don't even have to do that. - - -By now, you have your cetificate and your private key and can start -using the software that depend on it. - --- -Richard Levitte |