1<DRAFT!> 2 HOWTO certificates 3 41. Introduction 5 6How you handle certificates depends a great deal on what your role is. 7Your role can be one or several of: 8 9 - User of some client application 10 - User of some server application 11 - Certificate authority 12 13This file is for users who wish to get a certificate of their own. 14Certificate authorities should read https://www.openssl.org/docs/apps/ca.html. 15 16In all the cases shown below, the standard configuration file, as 17compiled into openssl, will be used. You may find it in /etc/, 18/usr/local/ssl/ or somewhere else. By default the file is named 19openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. 20You can specify a different configuration file using the 21'-config {file}' argument with the commands shown below. 22 23 242. Relationship with keys 25 26Certificates are related to public key cryptography by containing a 27public key. To be useful, there must be a corresponding private key 28somewhere. With OpenSSL, public keys are easily derived from private 29keys, so before you create a certificate or a certificate request, you 30need to create a private key. 31 32Private keys are generated with 'openssl genrsa -out privkey.pem' if 33you want a RSA private key, or if you want a DSA private key: 34'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'. 35 36The private keys created by these commands are not passphrase protected; 37it might or might not be the desirable thing. Further information on how to 38create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. 39The rest of this text assumes you have a private key in the file privkey.pem. 40 41 423. Creating a certificate request 43 44To create a certificate, you need to start with a certificate request 45(or, as some certificate authorities like to put it, "certificate 46signing request", since that's exactly what they do, they sign it and 47give you the result back, thus making it authentic according to their 48policies). A certificate request is sent to a certificate authority 49to get it signed into a certificate. You can also sign the certificate 50yourself if you have your own certificate authority or create a 51self-signed certificate (typically for testing purpose). 52 53The certificate request is created like this: 54 55 openssl req -new -key privkey.pem -out cert.csr 56 57Now, cert.csr can be sent to the certificate authority, if they can 58handle files in PEM format. If not, use the extra argument '-outform' 59followed by the keyword for the format to use (see another HOWTO 60<formats.txt?>). In some cases, -outform does not let you output the 61certificate request in the right format and you will have to use one 62of the various other commands that are exposed by openssl (or get 63creative and use a combination of tools). 64 65The certificate authority performs various checks (according to their 66policies) and usually waits for payment from you. Once that is 67complete, they send you your new certificate. 68 69Section 5 will tell you more on how to handle the certificate you 70received. 71 72 734. Creating a self-signed test certificate 74 75You can create a self-signed certificate if you don't want to deal 76with a certificate authority, or if you just want to create a test 77certificate for yourself. This is similar to creating a certificate 78request, but creates a certificate instead of a certificate request. 79This is NOT the recommended way to create a CA certificate, see 80https://www.openssl.org/docs/apps/ca.html. 81 82 openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 83 84 855. What to do with the certificate 86 87If you created everything yourself, or if the certificate authority 88was kind enough, your certificate is a raw DER thing in PEM format. 89Your key most definitely is if you have followed the examples above. 90However, some (most?) certificate authorities will encode them with 91things like PKCS7 or PKCS12, or something else. Depending on your 92applications, this may be perfectly OK, it all depends on what they 93know how to decode. If not, there are a number of OpenSSL tools to 94convert between some (most?) formats. 95 96So, depending on your application, you may have to convert your 97certificate and your key to various formats, most often also putting 98them together into one file. The ways to do this is described in 99another HOWTO <formats.txt?>, I will just mention the simplest case. 100In the case of a raw DER thing in PEM format, and assuming that's all 101right for your applications, simply concatenating the certificate and 102the key into a new file and using that one should be enough. With 103some applications, you don't even have to do that. 104 105 106By now, you have your certificate and your private key and can start 107using applications that depend on it. 108 109-- 110Richard Levitte 111