xref: /freebsd/crypto/openssl/doc/HOWTO/certificates.txt (revision cfd6422a5217410fbd66f7a7a8a64d9d85e61229)
1<DRAFT!>
2			HOWTO certificates
3
41. Introduction
5
6How you handle certificates depends a great deal on what your role is.
7Your role can be one or several of:
8
9  - User of some client application
10  - User of some server application
11  - Certificate authority
12
13This file is for users who wish to get a certificate of their own.
14Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.
15
16In all the cases shown below, the standard configuration file, as
17compiled into openssl, will be used.  You may find it in /etc/,
18/usr/local/ssl/ or somewhere else.  By default the file is named
19openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
20You can specify a different configuration file using the
21'-config {file}' argument with the commands shown below.
22
23
242. Relationship with keys
25
26Certificates are related to public key cryptography by containing a
27public key.  To be useful, there must be a corresponding private key
28somewhere.  With OpenSSL, public keys are easily derived from private
29keys, so before you create a certificate or a certificate request, you
30need to create a private key.
31
32Private keys are generated with 'openssl genrsa -out privkey.pem' if
33you want a RSA private key, or if you want a DSA private key:
34'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'.
35
36The private keys created by these commands are not passphrase protected;
37it might or might not be the desirable thing.  Further information on how to
38create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt.
39The rest of this text assumes you have a private key in the file privkey.pem.
40
41
423. Creating a certificate request
43
44To create a certificate, you need to start with a certificate request
45(or, as some certificate authorities like to put it, "certificate
46signing request", since that's exactly what they do, they sign it and
47give you the result back, thus making it authentic according to their
48policies).  A certificate request is sent to a certificate authority
49to get it signed into a certificate. You can also sign the certificate
50yourself if you have your own certificate authority or create a
51self-signed certificate (typically for testing purpose).
52
53The certificate request is created like this:
54
55  openssl req -new -key privkey.pem -out cert.csr
56
57Now, cert.csr can be sent to the certificate authority, if they can
58handle files in PEM format.  If not, use the extra argument '-outform'
59followed by the keyword for the format to use (see another HOWTO
60<formats.txt?>).  In some cases, -outform does not let you output the
61certificate request in the right format and you will have to use one
62of the various other commands that are exposed by openssl (or get
63creative and use a combination of tools).
64
65The certificate authority performs various checks (according to their
66policies) and usually waits for payment from you. Once that is
67complete, they send you your new certificate.
68
69Section 5 will tell you more on how to handle the certificate you
70received.
71
72
734. Creating a self-signed test certificate
74
75You can create a self-signed certificate if you don't want to deal
76with a certificate authority, or if you just want to create a test
77certificate for yourself.  This is similar to creating a certificate
78request, but creates a certificate instead of a certificate request.
79This is NOT the recommended way to create a CA certificate, see
80https://www.openssl.org/docs/apps/ca.html.
81
82  openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
83
84
855. What to do with the certificate
86
87If you created everything yourself, or if the certificate authority
88was kind enough, your certificate is a raw DER thing in PEM format.
89Your key most definitely is if you have followed the examples above.
90However, some (most?) certificate authorities will encode them with
91things like PKCS7 or PKCS12, or something else.  Depending on your
92applications, this may be perfectly OK, it all depends on what they
93know how to decode.  If not, there are a number of OpenSSL tools to
94convert between some (most?) formats.
95
96So, depending on your application, you may have to convert your
97certificate and your key to various formats, most often also putting
98them together into one file.  The ways to do this is described in
99another HOWTO <formats.txt?>, I will just mention the simplest case.
100In the case of a raw DER thing in PEM format, and assuming that's all
101right for your applications, simply concatenating the certificate and
102the key into a new file and using that one should be enough.  With
103some applications, you don't even have to do that.
104
105
106By now, you have your certificate and your private key and can start
107using applications that depend on it.
108
109--
110Richard Levitte
111