15c87c606SMark Murray<DRAFT!> 25c87c606SMark Murray HOWTO certificates 35c87c606SMark Murray 4fceca8a3SJacques Vidrine1. Introduction 5fceca8a3SJacques Vidrine 65c87c606SMark MurrayHow you handle certificates depend a great deal on what your role is. 75c87c606SMark MurrayYour role can be one or several of: 85c87c606SMark Murray 95c87c606SMark Murray - User of some client software 105c87c606SMark Murray - User of some server software 115c87c606SMark Murray - Certificate authority 125c87c606SMark Murray 135c87c606SMark MurrayThis file is for users who wish to get a certificate of their own. 145c87c606SMark MurrayCertificate authorities should read ca.txt. 155c87c606SMark Murray 165c87c606SMark MurrayIn all the cases shown below, the standard configuration file, as 175c87c606SMark Murraycompiled into openssl, will be used. You may find it in /etc/, 18fceca8a3SJacques Vidrine/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and 195c87c606SMark Murrayis better described in another HOWTO <config.txt?>. If you want to 205c87c606SMark Murrayuse a different configuration file, use the argument '-config {file}' 215c87c606SMark Murraywith the command shown below. 225c87c606SMark Murray 235c87c606SMark Murray 24fceca8a3SJacques Vidrine2. Relationship with keys 25fceca8a3SJacques Vidrine 265c87c606SMark MurrayCertificates are related to public key cryptography by containing a 275c87c606SMark Murraypublic key. To be useful, there must be a corresponding private key 285c87c606SMark Murraysomewhere. With OpenSSL, public keys are easily derived from private 295c87c606SMark Murraykeys, so before you create a certificate or a certificate request, you 305c87c606SMark Murrayneed to create a private key. 315c87c606SMark Murray 325c87c606SMark MurrayPrivate keys are generated with 'openssl genrsa' if you want a RSA 33fceca8a3SJacques Vidrineprivate key, or 'openssl gendsa' if you want a DSA private key. 34fceca8a3SJacques VidrineFurther information on how to create private keys can be found in 35fceca8a3SJacques Vidrineanother HOWTO <keys.txt?>. The rest of this text assumes you have 36fceca8a3SJacques Vidrinea private key in the file privkey.pem. 375c87c606SMark Murray 385c87c606SMark Murray 39fceca8a3SJacques Vidrine3. Creating a certificate request 40fceca8a3SJacques Vidrine 41fceca8a3SJacques VidrineTo create a certificate, you need to start with a certificate 42fceca8a3SJacques Vidrinerequest (or, as some certificate authorities like to put 435c87c606SMark Murrayit, "certificate signing request", since that's exactly what they do, 445c87c606SMark Murraythey sign it and give you the result back, thus making it authentic 45fceca8a3SJacques Vidrineaccording to their policies). A certificate request can then be sent 46fceca8a3SJacques Vidrineto a certificate authority to get it signed into a certificate, or if 47fceca8a3SJacques Vidrineyou have your own certificate authority, you may sign it yourself, or 48fceca8a3SJacques Vidrineif you need a self-signed certificate (because you just want a test 49fceca8a3SJacques Vidrinecertificate or because you are setting up your own CA). 50fceca8a3SJacques Vidrine 51fceca8a3SJacques VidrineThe certificate is created like this: 525c87c606SMark Murray 535c87c606SMark Murray openssl req -new -key privkey.pem -out cert.csr 545c87c606SMark Murray 555c87c606SMark MurrayNow, cert.csr can be sent to the certificate authority, if they can 565c87c606SMark Murrayhandle files in PEM format. If not, use the extra argument '-outform' 575c87c606SMark Murrayfollowed by the keyword for the format to use (see another HOWTO 585c87c606SMark Murray<formats.txt?>). In some cases, that isn't sufficient and you will 595c87c606SMark Murrayhave to be more creative. 605c87c606SMark Murray 615c87c606SMark MurrayWhen the certificate authority has then done the checks the need to 625c87c606SMark Murraydo (and probably gotten payment from you), they will hand over your 635c87c606SMark Murraynew certificate to you. 645c87c606SMark Murray 65fceca8a3SJacques VidrineSection 5 will tell you more on how to handle the certificate you 66fceca8a3SJacques Vidrinereceived. 675c87c606SMark Murray 685c87c606SMark Murray 69fceca8a3SJacques Vidrine4. Creating a self-signed certificate 70fceca8a3SJacques Vidrine 71fceca8a3SJacques VidrineIf you don't want to deal with another certificate authority, or just 72fceca8a3SJacques Vidrinewant to create a test certificate for yourself, or are setting up a 73fceca8a3SJacques Vidrinecertificate authority of your own, you may want to make the requested 74fceca8a3SJacques Vidrinecertificate a self-signed one. If you have created a certificate 75fceca8a3SJacques Vidrinerequest as shown above, you can sign it using the 'openssl x509' 76fceca8a3SJacques Vidrinecommand, for example like this (to create a self-signed CA 77fceca8a3SJacques Vidrinecertificate): 78fceca8a3SJacques Vidrine 79fceca8a3SJacques Vidrine openssl x509 -req -in cert.csr -extfile openssl.cnf -extensions v3_ca \ 80fceca8a3SJacques Vidrine -signkey privkey.pem -out cacert.pem -trustout 81fceca8a3SJacques Vidrine 82fceca8a3SJacques Vidrine 83fceca8a3SJacques Vidrine5. What to do with the certificate 845c87c606SMark Murray 855c87c606SMark MurrayIf you created everything yourself, or if the certificate authority 865c87c606SMark Murraywas kind enough, your certificate is a raw DER thing in PEM format. 875c87c606SMark MurrayYour key most definitely is if you have followed the examples above. 885c87c606SMark MurrayHowever, some (most?) certificate authorities will encode them with 895c87c606SMark Murraythings like PKCS7 or PKCS12, or something else. Depending on your 905c87c606SMark Murrayapplications, this may be perfectly OK, it all depends on what they 915c87c606SMark Murrayknow how to decode. If not, There are a number of OpenSSL tools to 925c87c606SMark Murrayconvert between some (most?) formats. 935c87c606SMark Murray 945c87c606SMark MurraySo, depending on your application, you may have to convert your 955c87c606SMark Murraycertificate and your key to various formats, most often also putting 965c87c606SMark Murraythem together into one file. The ways to do this is described in 975c87c606SMark Murrayanother HOWTO <formats.txt?>, I will just mention the simplest case. 985c87c606SMark MurrayIn the case of a raw DER thing in PEM format, and assuming that's all 995c87c606SMark Murrayright for yor applications, simply concatenating the certificate and 1005c87c606SMark Murraythe key into a new file and using that one should be enough. With 1015c87c606SMark Murraysome applications, you don't even have to do that. 1025c87c606SMark Murray 1035c87c606SMark Murray 1045c87c606SMark MurrayBy now, you have your cetificate and your private key and can start 1055c87c606SMark Murrayusing the software that depend on it. 1065c87c606SMark Murray 1075c87c606SMark Murray-- 1085c87c606SMark MurrayRichard Levitte 109