1<DRAFT!> 2 HOWTO keys 3 41. Introduction 5 6Keys are the basis of public key algorithms and PKI. Keys usually 7come in pairs, with one half being the public key and the other half 8being the private key. With OpenSSL, the private key contains the 9public key information as well, so a public key doesn't need to be 10generated separately. 11 12Public keys come in several flavors, using different cryptographic 13algorithms. The most popular ones associated with certificates are 14RSA and DSA, and this HOWTO will show how to generate each of them. 15 16 172. To generate a RSA key 18 19A RSA key can be used both for encryption and for signing. 20 21Generating a key for the RSA algorithm is quite easy, all you have to 22do is the following: 23 24 openssl genrsa -des3 -out privkey.pem 2048 25 26With this variant, you will be prompted for a protecting password. If 27you don't want your key to be protected by a password, remove the flag 28'-des3' from the command line above. 29 30 NOTE: if you intend to use the key together with a server 31 certificate, it may be a good thing to avoid protecting it 32 with a password, since that would mean someone would have to 33 type in the password every time the server needs to access 34 the key. 35 36The number 2048 is the size of the key, in bits. Today, 2048 or 37higher is recommended for RSA keys, as fewer amount of bits is 38consider insecure or to be insecure pretty soon. 39 40 413. To generate a DSA key 42 43A DSA key can be used both for signing only. This is important to 44keep in mind to know what kind of purposes a certificate request with 45a DSA key can really be used for. 46 47Generating a key for the DSA algorithm is a two-step process. First, 48you have to generate parameters from which to generate the key: 49 50 openssl dsaparam -out dsaparam.pem 2048 51 52The number 2048 is the size of the key, in bits. Today, 2048 or 53higher is recommended for DSA keys, as fewer amount of bits is 54consider insecure or to be insecure pretty soon. 55 56When that is done, you can generate a key using the parameters in 57question (actually, several keys can be generated from the same 58parameters): 59 60 openssl gendsa -des3 -out privkey.pem dsaparam.pem 61 62With this variant, you will be prompted for a protecting password. If 63you don't want your key to be protected by a password, remove the flag 64'-des3' from the command line above. 65 66 NOTE: if you intend to use the key together with a server 67 certificate, it may be a good thing to avoid protecting it 68 with a password, since that would mean someone would have to 69 type in the password every time the server needs to access 70 the key. 71 72-- 73Richard Levitte 74