| <DRAFT!> |
| HOWTO certificates |
| |
| 1. Introduction |
| |
| How you handle certificates depend a great deal on what your role is. |
| Your role can be one or several of: |
| |
| - User of some client software |
| - User of some server software |
| - Certificate authority |
| |
| This file is for users who wish to get a certificate of their own. |
| Certificate authorities should read ca.txt. |
| |
| In all the cases shown below, the standard configuration file, as |
| compiled into openssl, will be used. You may find it in /etc/, |
| /usr/local/ssl/ or somewhere else. The name is openssl.cnf, and |
| is better described in another HOWTO <config.txt?>. If you want to |
| use a different configuration file, use the argument '-config {file}' |
| with the command shown below. |
| |
| |
| 2. Relationship with keys |
| |
| Certificates are related to public key cryptography by containing a |
| public key. To be useful, there must be a corresponding private key |
| somewhere. With OpenSSL, public keys are easily derived from private |
| keys, so before you create a certificate or a certificate request, you |
| need to create a private key. |
| |
| Private keys are generated with 'openssl genrsa' if you want a RSA |
| private key, or 'openssl gendsa' if you want a DSA private key. |
| Further information on how to create private keys can be found in |
| another HOWTO <keys.txt?>. The rest of this text assumes you have |
| a private key in the file privkey.pem. |
| |
| |
| 3. Creating a certificate request |
| |
| To create a certificate, you need to start with a certificate |
| request (or, as some certificate authorities like to put |
| it, "certificate signing request", since that's exactly what they do, |
| they sign it and give you the result back, thus making it authentic |
| according to their policies). A certificate request can then be sent |
| to a certificate authority to get it signed into a certificate, or if |
| you have your own certificate authority, you may sign it yourself, or |
| if you need a self-signed certificate (because you just want a test |
| certificate or because you are setting up your own CA). |
| |
| The certificate request is created like this: |
| |
| openssl req -new -key privkey.pem -out cert.csr |
| |
| Now, cert.csr can be sent to the certificate authority, if they can |
| handle files in PEM format. If not, use the extra argument '-outform' |
| followed by the keyword for the format to use (see another HOWTO |
| <formats.txt?>). In some cases, that isn't sufficient and you will |
| have to be more creative. |
| |
| When the certificate authority has then done the checks the need to |
| do (and probably gotten payment from you), they will hand over your |
| new certificate to you. |
| |
| Section 5 will tell you more on how to handle the certificate you |
| received. |
| |
| |
| 4. Creating a self-signed test certificate |
| |
| If you don't want to deal with another certificate authority, or just |
| want to create a test certificate for yourself. This is similar to |
| creating a certificate request, but creates a certificate instead of |
| a certificate request. This is NOT the recommended way to create a |
| CA certificate, see ca.txt. |
| |
| openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 |
| |
| |
| 5. What to do with the certificate |
| |
| If you created everything yourself, or if the certificate authority |
| was kind enough, your certificate is a raw DER thing in PEM format. |
| Your key most definitely is if you have followed the examples above. |
| However, some (most?) certificate authorities will encode them with |
| things like PKCS7 or PKCS12, or something else. Depending on your |
| applications, this may be perfectly OK, it all depends on what they |
| know how to decode. If not, There are a number of OpenSSL tools to |
| convert between some (most?) formats. |
| |
| So, depending on your application, you may have to convert your |
| certificate and your key to various formats, most often also putting |
| them together into one file. The ways to do this is described in |
| another HOWTO <formats.txt?>, I will just mention the simplest case. |
| In the case of a raw DER thing in PEM format, and assuming that's all |
| right for yor applications, simply concatenating the certificate and |
| the key into a new file and using that one should be enough. With |
| some applications, you don't even have to do that. |
| |
| |
| By now, you have your cetificate and your private key and can start |
| using the software that depend on it. |
| |
| -- |
| Richard Levitte |