1*ebfedea0SLionel Sambuc<DRAFT!> 2*ebfedea0SLionel Sambuc HOWTO keys 3*ebfedea0SLionel Sambuc 4*ebfedea0SLionel Sambuc1. Introduction 5*ebfedea0SLionel Sambuc 6*ebfedea0SLionel SambucKeys are the basis of public key algorithms and PKI. Keys usually 7*ebfedea0SLionel Sambuccome in pairs, with one half being the public key and the other half 8*ebfedea0SLionel Sambucbeing the private key. With OpenSSL, the private key contains the 9*ebfedea0SLionel Sambucpublic key information as well, so a public key doesn't need to be 10*ebfedea0SLionel Sambucgenerated separately. 11*ebfedea0SLionel Sambuc 12*ebfedea0SLionel SambucPublic keys come in several flavors, using different cryptographic 13*ebfedea0SLionel Sambucalgorithms. The most popular ones associated with certificates are 14*ebfedea0SLionel SambucRSA and DSA, and this HOWTO will show how to generate each of them. 15*ebfedea0SLionel Sambuc 16*ebfedea0SLionel Sambuc 17*ebfedea0SLionel Sambuc2. To generate a RSA key 18*ebfedea0SLionel Sambuc 19*ebfedea0SLionel SambucA RSA key can be used both for encryption and for signing. 20*ebfedea0SLionel Sambuc 21*ebfedea0SLionel SambucGenerating a key for the RSA algorithm is quite easy, all you have to 22*ebfedea0SLionel Sambucdo is the following: 23*ebfedea0SLionel Sambuc 24*ebfedea0SLionel Sambuc openssl genrsa -des3 -out privkey.pem 2048 25*ebfedea0SLionel Sambuc 26*ebfedea0SLionel SambucWith this variant, you will be prompted for a protecting password. If 27*ebfedea0SLionel Sambucyou don't want your key to be protected by a password, remove the flag 28*ebfedea0SLionel Sambuc'-des3' from the command line above. 29*ebfedea0SLionel Sambuc 30*ebfedea0SLionel Sambuc NOTE: if you intend to use the key together with a server 31*ebfedea0SLionel Sambuc certificate, it may be a good thing to avoid protecting it 32*ebfedea0SLionel Sambuc with a password, since that would mean someone would have to 33*ebfedea0SLionel Sambuc type in the password every time the server needs to access 34*ebfedea0SLionel Sambuc the key. 35*ebfedea0SLionel Sambuc 36*ebfedea0SLionel SambucThe number 2048 is the size of the key, in bits. Today, 2048 or 37*ebfedea0SLionel Sambuchigher is recommended for RSA keys, as fewer amount of bits is 38*ebfedea0SLionel Sambucconsider insecure or to be insecure pretty soon. 39*ebfedea0SLionel Sambuc 40*ebfedea0SLionel Sambuc 41*ebfedea0SLionel Sambuc3. To generate a DSA key 42*ebfedea0SLionel Sambuc 43*ebfedea0SLionel SambucA DSA key can be used for signing only. This is important to keep 44*ebfedea0SLionel Sambucin mind to know what kind of purposes a certificate request with a 45*ebfedea0SLionel SambucDSA key can really be used for. 46*ebfedea0SLionel Sambuc 47*ebfedea0SLionel SambucGenerating a key for the DSA algorithm is a two-step process. First, 48*ebfedea0SLionel Sambucyou have to generate parameters from which to generate the key: 49*ebfedea0SLionel Sambuc 50*ebfedea0SLionel Sambuc openssl dsaparam -out dsaparam.pem 2048 51*ebfedea0SLionel Sambuc 52*ebfedea0SLionel SambucThe number 2048 is the size of the key, in bits. Today, 2048 or 53*ebfedea0SLionel Sambuchigher is recommended for DSA keys, as fewer amount of bits is 54*ebfedea0SLionel Sambucconsider insecure or to be insecure pretty soon. 55*ebfedea0SLionel Sambuc 56*ebfedea0SLionel SambucWhen that is done, you can generate a key using the parameters in 57*ebfedea0SLionel Sambucquestion (actually, several keys can be generated from the same 58*ebfedea0SLionel Sambucparameters): 59*ebfedea0SLionel Sambuc 60*ebfedea0SLionel Sambuc openssl gendsa -des3 -out privkey.pem dsaparam.pem 61*ebfedea0SLionel Sambuc 62*ebfedea0SLionel SambucWith this variant, you will be prompted for a protecting password. If 63*ebfedea0SLionel Sambucyou don't want your key to be protected by a password, remove the flag 64*ebfedea0SLionel Sambuc'-des3' from the command line above. 65*ebfedea0SLionel Sambuc 66*ebfedea0SLionel Sambuc NOTE: if you intend to use the key together with a server 67*ebfedea0SLionel Sambuc certificate, it may be a good thing to avoid protecting it 68*ebfedea0SLionel Sambuc with a password, since that would mean someone would have to 69*ebfedea0SLionel Sambuc type in the password every time the server needs to access 70*ebfedea0SLionel Sambuc the key. 71*ebfedea0SLionel Sambuc 72*ebfedea0SLionel Sambuc-- 73*ebfedea0SLionel SambucRichard Levitte 74