150ef0093SJacques Vidrine<DRAFT!> 250ef0093SJacques Vidrine HOWTO keys 350ef0093SJacques Vidrine 450ef0093SJacques Vidrine1. Introduction 550ef0093SJacques Vidrine 650ef0093SJacques VidrineKeys are the basis of public key algorithms and PKI. Keys usually 750ef0093SJacques Vidrinecome in pairs, with one half being the public key and the other half 850ef0093SJacques Vidrinebeing the private key. With OpenSSL, the private key contains the 950ef0093SJacques Vidrinepublic key information as well, so a public key doesn't need to be 1050ef0093SJacques Vidrinegenerated separately. 1150ef0093SJacques Vidrine 1250ef0093SJacques VidrinePublic keys come in several flavors, using different cryptographic 1350ef0093SJacques Vidrinealgorithms. The most popular ones associated with certificates are 1450ef0093SJacques VidrineRSA and DSA, and this HOWTO will show how to generate each of them. 1550ef0093SJacques Vidrine 1650ef0093SJacques Vidrine 1750ef0093SJacques Vidrine2. To generate a RSA key 1850ef0093SJacques Vidrine 1950ef0093SJacques VidrineA RSA key can be used both for encryption and for signing. 2050ef0093SJacques Vidrine 2150ef0093SJacques VidrineGenerating a key for the RSA algorithm is quite easy, all you have to 2250ef0093SJacques Vidrinedo is the following: 2350ef0093SJacques Vidrine 2450ef0093SJacques Vidrine openssl genrsa -des3 -out privkey.pem 2048 2550ef0093SJacques Vidrine 2650ef0093SJacques VidrineWith this variant, you will be prompted for a protecting password. If 2750ef0093SJacques Vidrineyou don't want your key to be protected by a password, remove the flag 2850ef0093SJacques Vidrine'-des3' from the command line above. 2950ef0093SJacques Vidrine 3050ef0093SJacques Vidrine NOTE: if you intend to use the key together with a server 3150ef0093SJacques Vidrine certificate, it may be a good thing to avoid protecting it 3250ef0093SJacques Vidrine with a password, since that would mean someone would have to 3350ef0093SJacques Vidrine type in the password every time the server needs to access 3450ef0093SJacques Vidrine the key. 3550ef0093SJacques Vidrine 3650ef0093SJacques VidrineThe number 2048 is the size of the key, in bits. Today, 2048 or 3750ef0093SJacques Vidrinehigher is recommended for RSA keys, as fewer amount of bits is 3850ef0093SJacques Vidrineconsider insecure or to be insecure pretty soon. 3950ef0093SJacques Vidrine 4050ef0093SJacques Vidrine 4150ef0093SJacques Vidrine3. To generate a DSA key 4250ef0093SJacques Vidrine 43*80815a77SJung-uk KimA DSA key can be used for signing only. It is important to 44*80815a77SJung-uk Kimknow what a certificate request with a DSA key can really be used for. 4550ef0093SJacques Vidrine 4650ef0093SJacques VidrineGenerating a key for the DSA algorithm is a two-step process. First, 4750ef0093SJacques Vidrineyou have to generate parameters from which to generate the key: 4850ef0093SJacques Vidrine 4950ef0093SJacques Vidrine openssl dsaparam -out dsaparam.pem 2048 5050ef0093SJacques Vidrine 5150ef0093SJacques VidrineThe number 2048 is the size of the key, in bits. Today, 2048 or 5250ef0093SJacques Vidrinehigher is recommended for DSA keys, as fewer amount of bits is 5350ef0093SJacques Vidrineconsider insecure or to be insecure pretty soon. 5450ef0093SJacques Vidrine 5550ef0093SJacques VidrineWhen that is done, you can generate a key using the parameters in 5650ef0093SJacques Vidrinequestion (actually, several keys can be generated from the same 5750ef0093SJacques Vidrineparameters): 5850ef0093SJacques Vidrine 5950ef0093SJacques Vidrine openssl gendsa -des3 -out privkey.pem dsaparam.pem 6050ef0093SJacques Vidrine 6150ef0093SJacques VidrineWith this variant, you will be prompted for a protecting password. If 6250ef0093SJacques Vidrineyou don't want your key to be protected by a password, remove the flag 6350ef0093SJacques Vidrine'-des3' from the command line above. 6450ef0093SJacques Vidrine 6550ef0093SJacques Vidrine NOTE: if you intend to use the key together with a server 6650ef0093SJacques Vidrine certificate, it may be a good thing to avoid protecting it 6750ef0093SJacques Vidrine with a password, since that would mean someone would have to 6850ef0093SJacques Vidrine type in the password every time the server needs to access 6950ef0093SJacques Vidrine the key. 7050ef0093SJacques Vidrine 7150ef0093SJacques Vidrine-- 7250ef0093SJacques VidrineRichard Levitte 73