1<DRAFT!> 2 HOWTO certificates 3 4How you handle certificates depend a great deal on what your role is. 5Your role can be one or several of: 6 7 - User of some client software 8 - User of some server software 9 - Certificate authority 10 11This file is for users who wish to get a certificate of their own. 12Certificate authorities should read ca.txt. 13 14In all the cases shown below, the standard configuration file, as 15compiled into openssl, will be used. You may find it in /etc/, 16/usr/local/ssr/ or somewhere else. The name is openssl.cnf, and 17is better described in another HOWTO <config.txt?>. If you want to 18use a different configuration file, use the argument '-config {file}' 19with the command shown below. 20 21 22Certificates are related to public key cryptography by containing a 23public key. To be useful, there must be a corresponding private key 24somewhere. With OpenSSL, public keys are easily derived from private 25keys, so before you create a certificate or a certificate request, you 26need to create a private key. 27 28Private keys are generated with 'openssl genrsa' if you want a RSA 29private key, or 'openssl gendsa' if you want a DSA private key. More 30info on how to handle these commands are found in the manual pages for 31those commands or by running them with the argument '-h'. For the 32sake of the description in this file, let's assume that the private 33key ended up in the file privkey.pem (which is the default in some 34cases). 35 36 37Let's start with the most normal way of getting a certificate. Most 38often, you want or need to get a certificate from a certificate 39authority. To handle that, the certificate authority needs a 40certificate request (or, as some certificate authorities like to put 41it, "certificate signing request", since that's exactly what they do, 42they sign it and give you the result back, thus making it authentic 43according to their policies) from you. To generate a request, use the 44command 'openssl req' like this: 45 46 openssl req -new -key privkey.pem -out cert.csr 47 48Now, cert.csr can be sent to the certificate authority, if they can 49handle files in PEM format. If not, use the extra argument '-outform' 50followed by the keyword for the format to use (see another HOWTO 51<formats.txt?>). In some cases, that isn't sufficient and you will 52have to be more creative. 53 54When the certificate authority has then done the checks the need to 55do (and probably gotten payment from you), they will hand over your 56new certificate to you. 57 58 59[fill in on how to create a self-signed certificate] 60 61 62If you created everything yourself, or if the certificate authority 63was kind enough, your certificate is a raw DER thing in PEM format. 64Your key most definitely is if you have followed the examples above. 65However, some (most?) certificate authorities will encode them with 66things like PKCS7 or PKCS12, or something else. Depending on your 67applications, this may be perfectly OK, it all depends on what they 68know how to decode. If not, There are a number of OpenSSL tools to 69convert between some (most?) formats. 70 71So, depending on your application, you may have to convert your 72certificate and your key to various formats, most often also putting 73them together into one file. The ways to do this is described in 74another HOWTO <formats.txt?>, I will just mention the simplest case. 75In the case of a raw DER thing in PEM format, and assuming that's all 76right for yor applications, simply concatenating the certificate and 77the key into a new file and using that one should be enough. With 78some applications, you don't even have to do that. 79 80 81By now, you have your cetificate and your private key and can start 82using the software that depend on it. 83 84-- 85Richard Levitte 86