xref: /freebsd/crypto/openssl/doc/HOWTO/keys.txt (revision 1c05a6ea6b849ff95e539c31adea887c644a6a01)
1<DRAFT!>
2			HOWTO keys
3
41. Introduction
5
6Keys are the basis of public key algorithms and PKI.  Keys usually
7come in pairs, with one half being the public key and the other half
8being the private key.  With OpenSSL, the private key contains the
9public key information as well, so a public key doesn't need to be
10generated separately.
11
12Public keys come in several flavors, using different cryptographic
13algorithms.  The most popular ones associated with certificates are
14RSA and DSA, and this HOWTO will show how to generate each of them.
15
16
172. To generate a RSA key
18
19A RSA key can be used both for encryption and for signing.
20
21Generating a key for the RSA algorithm is quite easy, all you have to
22do is the following:
23
24  openssl genrsa -des3 -out privkey.pem 2048
25
26With this variant, you will be prompted for a protecting password.  If
27you don't want your key to be protected by a password, remove the flag
28'-des3' from the command line above.
29
30    NOTE: if you intend to use the key together with a server
31    certificate, it may be a good thing to avoid protecting it
32    with a password, since that would mean someone would have to
33    type in the password every time the server needs to access
34    the key.
35
36The number 2048 is the size of the key, in bits.  Today, 2048 or
37higher is recommended for RSA keys, as fewer amount of bits is
38consider insecure or to be insecure pretty soon.
39
40
413. To generate a DSA key
42
43A DSA key can be used for signing only.  It is important to
44know what a certificate request with a DSA key can really be used for.
45
46Generating a key for the DSA algorithm is a two-step process.  First,
47you have to generate parameters from which to generate the key:
48
49  openssl dsaparam -out dsaparam.pem 2048
50
51The number 2048 is the size of the key, in bits.  Today, 2048 or
52higher is recommended for DSA keys, as fewer amount of bits is
53consider insecure or to be insecure pretty soon.
54
55When that is done, you can generate a key using the parameters in
56question (actually, several keys can be generated from the same
57parameters):
58
59  openssl gendsa -des3 -out privkey.pem dsaparam.pem
60
61With this variant, you will be prompted for a protecting password.  If
62you don't want your key to be protected by a password, remove the flag
63'-des3' from the command line above.
64
65    NOTE: if you intend to use the key together with a server
66    certificate, it may be a good thing to avoid protecting it
67    with a password, since that would mean someone would have to
68    type in the password every time the server needs to access
69    the key.
70
71--
72Richard Levitte
73