15c87c606SMark Murray<DRAFT!> 25c87c606SMark Murray HOWTO certificates 35c87c606SMark Murray 4fceca8a3SJacques Vidrine1. Introduction 5fceca8a3SJacques Vidrine 6751d2991SJung-uk KimHow you handle certificates depends a great deal on what your role is. 75c87c606SMark MurrayYour role can be one or several of: 85c87c606SMark Murray 9751d2991SJung-uk Kim - User of some client application 10751d2991SJung-uk Kim - User of some server application 115c87c606SMark Murray - Certificate authority 125c87c606SMark Murray 135c87c606SMark MurrayThis file is for users who wish to get a certificate of their own. 14751d2991SJung-uk KimCertificate authorities should read https://www.openssl.org/docs/apps/ca.html. 155c87c606SMark Murray 165c87c606SMark MurrayIn all the cases shown below, the standard configuration file, as 175c87c606SMark Murraycompiled into openssl, will be used. You may find it in /etc/, 18751d2991SJung-uk Kim/usr/local/ssl/ or somewhere else. By default the file is named 19751d2991SJung-uk Kimopenssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. 20751d2991SJung-uk KimYou can specify a different configuration file using the 21751d2991SJung-uk Kim'-config {file}' argument with the commands shown below. 225c87c606SMark Murray 235c87c606SMark Murray 24fceca8a3SJacques Vidrine2. Relationship with keys 25fceca8a3SJacques Vidrine 265c87c606SMark MurrayCertificates are related to public key cryptography by containing a 275c87c606SMark Murraypublic key. To be useful, there must be a corresponding private key 285c87c606SMark Murraysomewhere. With OpenSSL, public keys are easily derived from private 295c87c606SMark Murraykeys, so before you create a certificate or a certificate request, you 305c87c606SMark Murrayneed to create a private key. 315c87c606SMark Murray 32751d2991SJung-uk KimPrivate keys are generated with 'openssl genrsa -out privkey.pem' if 33b077aed3SPierre Proncheryyou want an RSA private key, or if you want a DSA private key: 34751d2991SJung-uk Kim'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'. 35751d2991SJung-uk Kim 36751d2991SJung-uk KimThe private keys created by these commands are not passphrase protected; 37751d2991SJung-uk Kimit might or might not be the desirable thing. Further information on how to 38751d2991SJung-uk Kimcreate private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. 39751d2991SJung-uk KimThe rest of this text assumes you have a private key in the file privkey.pem. 405c87c606SMark Murray 415c87c606SMark Murray 42fceca8a3SJacques Vidrine3. Creating a certificate request 43fceca8a3SJacques Vidrine 44751d2991SJung-uk KimTo create a certificate, you need to start with a certificate request 45751d2991SJung-uk Kim(or, as some certificate authorities like to put it, "certificate 46751d2991SJung-uk Kimsigning request", since that's exactly what they do, they sign it and 47751d2991SJung-uk Kimgive you the result back, thus making it authentic according to their 48751d2991SJung-uk Kimpolicies). A certificate request is sent to a certificate authority 49751d2991SJung-uk Kimto get it signed into a certificate. You can also sign the certificate 50751d2991SJung-uk Kimyourself if you have your own certificate authority or create a 51751d2991SJung-uk Kimself-signed certificate (typically for testing purpose). 52fceca8a3SJacques Vidrine 5350ef0093SJacques VidrineThe certificate request is created like this: 545c87c606SMark Murray 555c87c606SMark Murray openssl req -new -key privkey.pem -out cert.csr 565c87c606SMark Murray 575c87c606SMark MurrayNow, cert.csr can be sent to the certificate authority, if they can 585c87c606SMark Murrayhandle files in PEM format. If not, use the extra argument '-outform' 595c87c606SMark Murrayfollowed by the keyword for the format to use (see another HOWTO 60751d2991SJung-uk Kim<formats.txt?>). In some cases, -outform does not let you output the 61751d2991SJung-uk Kimcertificate request in the right format and you will have to use one 62751d2991SJung-uk Kimof the various other commands that are exposed by openssl (or get 63751d2991SJung-uk Kimcreative and use a combination of tools). 645c87c606SMark Murray 65751d2991SJung-uk KimThe certificate authority performs various checks (according to their 66751d2991SJung-uk Kimpolicies) and usually waits for payment from you. Once that is 67751d2991SJung-uk Kimcomplete, they send you your new certificate. 685c87c606SMark Murray 69fceca8a3SJacques VidrineSection 5 will tell you more on how to handle the certificate you 70fceca8a3SJacques Vidrinereceived. 715c87c606SMark Murray 725c87c606SMark Murray 733b4e3dcbSSimon L. B. Nielsen4. Creating a self-signed test certificate 74fceca8a3SJacques Vidrine 75751d2991SJung-uk KimYou can create a self-signed certificate if you don't want to deal 76751d2991SJung-uk Kimwith a certificate authority, or if you just want to create a test 77751d2991SJung-uk Kimcertificate for yourself. This is similar to creating a certificate 78751d2991SJung-uk Kimrequest, but creates a certificate instead of a certificate request. 79751d2991SJung-uk KimThis is NOT the recommended way to create a CA certificate, see 80751d2991SJung-uk Kimhttps://www.openssl.org/docs/apps/ca.html. 81fceca8a3SJacques Vidrine 8250ef0093SJacques Vidrine openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 83fceca8a3SJacques Vidrine 84fceca8a3SJacques Vidrine 85fceca8a3SJacques Vidrine5. What to do with the certificate 865c87c606SMark Murray 875c87c606SMark MurrayIf you created everything yourself, or if the certificate authority 885c87c606SMark Murraywas kind enough, your certificate is a raw DER thing in PEM format. 895c87c606SMark MurrayYour key most definitely is if you have followed the examples above. 905c87c606SMark MurrayHowever, some (most?) certificate authorities will encode them with 915c87c606SMark Murraythings like PKCS7 or PKCS12, or something else. Depending on your 92*a7148ab3SEnji Cooperapplications, this may be perfectly OK. It all depends on what they 93e71b7053SJung-uk Kimknow how to decode. If not, there are a number of OpenSSL tools to 945c87c606SMark Murrayconvert between some (most?) formats. 955c87c606SMark Murray 965c87c606SMark MurraySo, depending on your application, you may have to convert your 975c87c606SMark Murraycertificate and your key to various formats, most often also putting 985c87c606SMark Murraythem together into one file. The ways to do this is described in 995c87c606SMark Murrayanother HOWTO <formats.txt?>, I will just mention the simplest case. 1005c87c606SMark MurrayIn the case of a raw DER thing in PEM format, and assuming that's all 101751d2991SJung-uk Kimright for your applications, simply concatenating the certificate and 1025c87c606SMark Murraythe key into a new file and using that one should be enough. With 1035c87c606SMark Murraysome applications, you don't even have to do that. 1045c87c606SMark Murray 1055c87c606SMark Murray 106751d2991SJung-uk KimBy now, you have your certificate and your private key and can start 107751d2991SJung-uk Kimusing applications that depend on it. 1085c87c606SMark Murray 1095c87c606SMark Murray-- 1105c87c606SMark MurrayRichard Levitte 111