xref: /freebsd/crypto/openssl/doc/HOWTO/certificates.txt (revision c98323078dede7579020518ec84cdcb478e5c142)
1<DRAFT!>
2			HOWTO certificates
3
41. Introduction
5
6How you handle certificates depend a great deal on what your role is.
7Your role can be one or several of:
8
9  - User of some client software
10  - User of some server software
11  - Certificate authority
12
13This file is for users who wish to get a certificate of their own.
14Certificate authorities should read ca.txt.
15
16In all the cases shown below, the standard configuration file, as
17compiled into openssl, will be used.  You may find it in /etc/,
18/usr/local/ssl/ or somewhere else.  The name is openssl.cnf, and
19is better described in another HOWTO <config.txt?>.  If you want to
20use a different configuration file, use the argument '-config {file}'
21with the command shown below.
22
23
242. Relationship with keys
25
26Certificates are related to public key cryptography by containing a
27public key.  To be useful, there must be a corresponding private key
28somewhere.  With OpenSSL, public keys are easily derived from private
29keys, so before you create a certificate or a certificate request, you
30need to create a private key.
31
32Private keys are generated with 'openssl genrsa' if you want a RSA
33private key, or 'openssl gendsa' if you want a DSA private key.
34Further information on how to create private keys can be found in
35another HOWTO <keys.txt?>.  The rest of this text assumes you have
36a private key in the file privkey.pem.
37
38
393. Creating a certificate request
40
41To create a certificate, you need to start with a certificate
42request (or, as some certificate authorities like to put
43it, "certificate signing request", since that's exactly what they do,
44they sign it and give you the result back, thus making it authentic
45according to their policies).  A certificate request can then be sent
46to a certificate authority to get it signed into a certificate, or if
47you have your own certificate authority, you may sign it yourself, or
48if you need a self-signed certificate (because you just want a test
49certificate or because you are setting up your own CA).
50
51The certificate request is created like this:
52
53  openssl req -new -key privkey.pem -out cert.csr
54
55Now, cert.csr can be sent to the certificate authority, if they can
56handle files in PEM format.  If not, use the extra argument '-outform'
57followed by the keyword for the format to use (see another HOWTO
58<formats.txt?>).  In some cases, that isn't sufficient and you will
59have to be more creative.
60
61When the certificate authority has then done the checks the need to
62do (and probably gotten payment from you), they will hand over your
63new certificate to you.
64
65Section 5 will tell you more on how to handle the certificate you
66received.
67
68
694. Creating a self-signed certificate
70
71If you don't want to deal with another certificate authority, or just
72want to create a test certificate for yourself, or are setting up a
73certificate authority of your own, you may want to make the requested
74certificate a self-signed one.  This is similar to creating a
75certificate request, but creates a certificate instead of a
76certificate request (1095 is 3 years):
77
78  openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
79
80
815. What to do with the certificate
82
83If you created everything yourself, or if the certificate authority
84was kind enough, your certificate is a raw DER thing in PEM format.
85Your key most definitely is if you have followed the examples above.
86However, some (most?) certificate authorities will encode them with
87things like PKCS7 or PKCS12, or something else.  Depending on your
88applications, this may be perfectly OK, it all depends on what they
89know how to decode.  If not, There are a number of OpenSSL tools to
90convert between some (most?) formats.
91
92So, depending on your application, you may have to convert your
93certificate and your key to various formats, most often also putting
94them together into one file.  The ways to do this is described in
95another HOWTO <formats.txt?>, I will just mention the simplest case.
96In the case of a raw DER thing in PEM format, and assuming that's all
97right for yor applications, simply concatenating the certificate and
98the key into a new file and using that one should be enough.  With
99some applications, you don't even have to do that.
100
101
102By now, you have your cetificate and your private key and can start
103using the software that depend on it.
104
105--
106Richard Levitte
107