1ebfedea0SLionel Sambuc<DRAFT!> 2ebfedea0SLionel Sambuc HOWTO certificates 3ebfedea0SLionel Sambuc 4ebfedea0SLionel Sambuc1. Introduction 5ebfedea0SLionel Sambuc 6*0a6a1f1dSLionel SambucHow you handle certificates depends a great deal on what your role is. 7ebfedea0SLionel SambucYour role can be one or several of: 8ebfedea0SLionel Sambuc 9*0a6a1f1dSLionel Sambuc - User of some client application 10*0a6a1f1dSLionel Sambuc - User of some server application 11ebfedea0SLionel Sambuc - Certificate authority 12ebfedea0SLionel Sambuc 13ebfedea0SLionel SambucThis file is for users who wish to get a certificate of their own. 14*0a6a1f1dSLionel SambucCertificate authorities should read https://www.openssl.org/docs/apps/ca.html. 15ebfedea0SLionel Sambuc 16ebfedea0SLionel SambucIn all the cases shown below, the standard configuration file, as 17ebfedea0SLionel Sambuccompiled into openssl, will be used. You may find it in /etc/, 18*0a6a1f1dSLionel Sambuc/usr/local/ssl/ or somewhere else. By default the file is named 19*0a6a1f1dSLionel Sambucopenssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. 20*0a6a1f1dSLionel SambucYou can specify a different configuration file using the 21*0a6a1f1dSLionel Sambuc'-config {file}' argument with the commands shown below. 22ebfedea0SLionel Sambuc 23ebfedea0SLionel Sambuc 24ebfedea0SLionel Sambuc2. Relationship with keys 25ebfedea0SLionel Sambuc 26ebfedea0SLionel SambucCertificates are related to public key cryptography by containing a 27ebfedea0SLionel Sambucpublic key. To be useful, there must be a corresponding private key 28ebfedea0SLionel Sambucsomewhere. With OpenSSL, public keys are easily derived from private 29ebfedea0SLionel Sambuckeys, so before you create a certificate or a certificate request, you 30ebfedea0SLionel Sambucneed to create a private key. 31ebfedea0SLionel Sambuc 32*0a6a1f1dSLionel SambucPrivate keys are generated with 'openssl genrsa -out privkey.pem' if 33*0a6a1f1dSLionel Sambucyou want a RSA private key, or if you want a DSA private key: 34*0a6a1f1dSLionel Sambuc'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'. 35*0a6a1f1dSLionel Sambuc 36*0a6a1f1dSLionel SambucThe private keys created by these commands are not passphrase protected; 37*0a6a1f1dSLionel Sambucit might or might not be the desirable thing. Further information on how to 38*0a6a1f1dSLionel Sambuccreate private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. 39*0a6a1f1dSLionel SambucThe rest of this text assumes you have a private key in the file privkey.pem. 40ebfedea0SLionel Sambuc 41ebfedea0SLionel Sambuc 42ebfedea0SLionel Sambuc3. Creating a certificate request 43ebfedea0SLionel Sambuc 44*0a6a1f1dSLionel SambucTo create a certificate, you need to start with a certificate request 45*0a6a1f1dSLionel Sambuc(or, as some certificate authorities like to put it, "certificate 46*0a6a1f1dSLionel Sambucsigning request", since that's exactly what they do, they sign it and 47*0a6a1f1dSLionel Sambucgive you the result back, thus making it authentic according to their 48*0a6a1f1dSLionel Sambucpolicies). A certificate request is sent to a certificate authority 49*0a6a1f1dSLionel Sambucto get it signed into a certificate. You can also sign the certificate 50*0a6a1f1dSLionel Sambucyourself if you have your own certificate authority or create a 51*0a6a1f1dSLionel Sambucself-signed certificate (typically for testing purpose). 52ebfedea0SLionel Sambuc 53ebfedea0SLionel SambucThe certificate request is created like this: 54ebfedea0SLionel Sambuc 55ebfedea0SLionel Sambuc openssl req -new -key privkey.pem -out cert.csr 56ebfedea0SLionel Sambuc 57ebfedea0SLionel SambucNow, cert.csr can be sent to the certificate authority, if they can 58ebfedea0SLionel Sambuchandle files in PEM format. If not, use the extra argument '-outform' 59ebfedea0SLionel Sambucfollowed by the keyword for the format to use (see another HOWTO 60*0a6a1f1dSLionel Sambuc<formats.txt?>). In some cases, -outform does not let you output the 61*0a6a1f1dSLionel Sambuccertificate request in the right format and you will have to use one 62*0a6a1f1dSLionel Sambucof the various other commands that are exposed by openssl (or get 63*0a6a1f1dSLionel Sambuccreative and use a combination of tools). 64ebfedea0SLionel Sambuc 65*0a6a1f1dSLionel SambucThe certificate authority performs various checks (according to their 66*0a6a1f1dSLionel Sambucpolicies) and usually waits for payment from you. Once that is 67*0a6a1f1dSLionel Sambuccomplete, they send you your new certificate. 68ebfedea0SLionel Sambuc 69ebfedea0SLionel SambucSection 5 will tell you more on how to handle the certificate you 70ebfedea0SLionel Sambucreceived. 71ebfedea0SLionel Sambuc 72ebfedea0SLionel Sambuc 73ebfedea0SLionel Sambuc4. Creating a self-signed test certificate 74ebfedea0SLionel Sambuc 75*0a6a1f1dSLionel SambucYou can create a self-signed certificate if you don't want to deal 76*0a6a1f1dSLionel Sambucwith a certificate authority, or if you just want to create a test 77*0a6a1f1dSLionel Sambuccertificate for yourself. This is similar to creating a certificate 78*0a6a1f1dSLionel Sambucrequest, but creates a certificate instead of a certificate request. 79*0a6a1f1dSLionel SambucThis is NOT the recommended way to create a CA certificate, see 80*0a6a1f1dSLionel Sambuchttps://www.openssl.org/docs/apps/ca.html. 81ebfedea0SLionel Sambuc 82ebfedea0SLionel Sambuc openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 83ebfedea0SLionel Sambuc 84ebfedea0SLionel Sambuc 85ebfedea0SLionel Sambuc5. What to do with the certificate 86ebfedea0SLionel Sambuc 87ebfedea0SLionel SambucIf you created everything yourself, or if the certificate authority 88ebfedea0SLionel Sambucwas kind enough, your certificate is a raw DER thing in PEM format. 89ebfedea0SLionel SambucYour key most definitely is if you have followed the examples above. 90ebfedea0SLionel SambucHowever, some (most?) certificate authorities will encode them with 91ebfedea0SLionel Sambucthings like PKCS7 or PKCS12, or something else. Depending on your 92ebfedea0SLionel Sambucapplications, this may be perfectly OK, it all depends on what they 93ebfedea0SLionel Sambucknow how to decode. If not, There are a number of OpenSSL tools to 94ebfedea0SLionel Sambucconvert between some (most?) formats. 95ebfedea0SLionel Sambuc 96ebfedea0SLionel SambucSo, depending on your application, you may have to convert your 97ebfedea0SLionel Sambuccertificate and your key to various formats, most often also putting 98ebfedea0SLionel Sambucthem together into one file. The ways to do this is described in 99ebfedea0SLionel Sambucanother HOWTO <formats.txt?>, I will just mention the simplest case. 100ebfedea0SLionel SambucIn the case of a raw DER thing in PEM format, and assuming that's all 101*0a6a1f1dSLionel Sambucright for your applications, simply concatenating the certificate and 102ebfedea0SLionel Sambucthe key into a new file and using that one should be enough. With 103ebfedea0SLionel Sambucsome applications, you don't even have to do that. 104ebfedea0SLionel Sambuc 105ebfedea0SLionel Sambuc 106*0a6a1f1dSLionel SambucBy now, you have your certificate and your private key and can start 107*0a6a1f1dSLionel Sambucusing applications that depend on it. 108ebfedea0SLionel Sambuc 109ebfedea0SLionel Sambuc-- 110ebfedea0SLionel SambucRichard Levitte 111