Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/doc/HOWTO/certificates.txt
34869 views
1
<DRAFT!>

2
			HOWTO certificates

3


4
1. Introduction

5


6
How you handle certificates depends a great deal on what your role is.

7
Your role can be one or several of:

8


9
  - User of some client application

10
  - User of some server application

11
  - Certificate authority

12


13
This file is for users who wish to get a certificate of their own.

14
Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.

15


16
In all the cases shown below, the standard configuration file, as

17
compiled into openssl, will be used.  You may find it in /etc/,

18
/usr/local/ssl/ or somewhere else.  By default the file is named

19
openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.

20
You can specify a different configuration file using the

21
'-config {file}' argument with the commands shown below.

22


23


24
2. Relationship with keys

25


26
Certificates are related to public key cryptography by containing a

27
public key.  To be useful, there must be a corresponding private key

28
somewhere.  With OpenSSL, public keys are easily derived from private

29
keys, so before you create a certificate or a certificate request, you

30
need to create a private key.

31


32
Private keys are generated with 'openssl genrsa -out privkey.pem' if

33
you want an RSA private key, or if you want a DSA private key:

34
'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'.

35


36
The private keys created by these commands are not passphrase protected;

37
it might or might not be the desirable thing.  Further information on how to

38
create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt.

39
The rest of this text assumes you have a private key in the file privkey.pem.

40


41


42
3. Creating a certificate request

43


44
To create a certificate, you need to start with a certificate request

45
(or, as some certificate authorities like to put it, "certificate

46
signing request", since that's exactly what they do, they sign it and

47
give you the result back, thus making it authentic according to their

48
policies).  A certificate request is sent to a certificate authority

49
to get it signed into a certificate. You can also sign the certificate

50
yourself if you have your own certificate authority or create a

51
self-signed certificate (typically for testing purposes).

52


53
The certificate request is created like this:

54


55
  openssl req -new -key privkey.pem -out cert.csr

56


57
Now, cert.csr can be sent to the certificate authority, if they can

58
handle files in PEM format.  If not, use the extra argument '-outform'

59
followed by the keyword for the format to use (see another HOWTO

60
<formats.txt?>).  In some cases, -outform does not let you output the

61
certificate request in the right format and you will have to use one

62
of the various other commands that are exposed by openssl (or get

63
creative and use a combination of tools).

64


65
The certificate authority performs various checks (according to their

66
policies) and usually waits for payment from you. Once that is

67
complete, they send you your new certificate.

68


69
Section 5 will tell you more on how to handle the certificate you

70
received.

71


72


73
4. Creating a self-signed test certificate

74


75
You can create a self-signed certificate if you don't want to deal

76
with a certificate authority, or if you just want to create a test

77
certificate for yourself.  This is similar to creating a certificate

78
request, but creates a certificate instead of a certificate request.

79
This is NOT the recommended way to create a CA certificate, see

80
https://www.openssl.org/docs/apps/ca.html.

81


82
  openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

83


84


85
5. What to do with the certificate

86


87
If you created everything yourself, or if the certificate authority

88
was kind enough, your certificate is a raw DER thing in PEM format.

89
Your key most definitely is if you have followed the examples above.

90
However, some (most?) certificate authorities will encode them with

91
things like PKCS7 or PKCS12, or something else.  Depending on your

92
applications, this may be perfectly OK.  It all depends on what they

93
know how to decode.  If not, there are a number of OpenSSL tools to

94
convert between some (most?) formats.

95


96
So, depending on your application, you may have to convert your

97
certificate and your key to various formats, most often also putting

98
them together into one file.  The ways to do this is described in

99
another HOWTO <formats.txt?>, I will just mention the simplest case.

100
In the case of a raw DER thing in PEM format, and assuming that's all

101
right for your applications, simply concatenating the certificate and

102
the key into a new file and using that one should be enough.  With

103
some applications, you don't even have to do that.

104


105


106
By now, you have your certificate and your private key and can start

107
using applications that depend on it.

108


109
--

110
Richard Levitte

111


112