OpenSSL – Private Keys & Certificate Request

By | November 29, 2015

Private Keys:

HOWTO keys

1. Introduction

Keys are the basis of public key algorithms and PKI. Keys usually
come in pairs, with one half being the public key and the other half
being the private key. With OpenSSL, the private key contains the
public key information as well, so a public key doesn’t need to be
generated separately.

Public keys come in several flavors, using different cryptographic
algorithms. The most popular ones associated with certificates are
RSA and DSA, and this HOWTO will show how to generate each of them.
2. To generate a RSA key

A RSA key can be used both for encryption and for signing.

Generating a key for the RSA algorithm is quite easy, all you have to
do is the following:

openssl genrsa -des3 -out privkey.pem 2048

With this variant, you will be prompted for a protecting password. If
you don’t want your key to be protected by a password, remove the flag
‘-des3’ from the command line above.

NOTE: if you intend to use the key together with a server
certificate, it may be a good thing to avoid protecting it
with a password, since that would mean someone would have to
type in the password every time the server needs to access
the key.

The number 2048 is the size of the key, in bits. Today, 2048 or
higher is recommended for RSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon.
3. To generate a DSA key

A DSA key can be used for signing only. This is important to keep
in mind to know what kind of purposes a certificate request with a
DSA key can really be used for.

Generating a key for the DSA algorithm is a two-step process. First,
you have to generate parameters from which to generate the key:

openssl dsaparam -out dsaparam.pem 2048

The number 2048 is the size of the key, in bits. Today, 2048 or
higher is recommended for DSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon.

When that is done, you can generate a key using the parameters in
question (actually, several keys can be generated from the same
parameters):

openssl gendsa -des3 -out privkey.pem dsaparam.pem

With this variant, you will be prompted for a protecting password. If
you don’t want your key to be protected by a password, remove the flag
‘-des3’ from the command line above.

NOTE: if you intend to use the key together with a server
certificate, it may be a good thing to avoid protecting it
with a password, since that would mean someone would have to
type in the password every time the server needs to access
the key.


Richard Levitte


 

Certificates

HOWTO certificates

1. Introduction

How you handle certificates depend a great deal on what your role is.
Your role can be one or several of:

– User of some client software
– User of some server software
– Certificate authority

This file is for users who wish to get a certificate of their own.
Certificate authorities should read ca.txt.

In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and
is better described in another HOWTO <config.txt?>. If you want to
use a different configuration file, use the argument ‘-config {file}’
with the command shown below.
2. Relationship with keys

Certificates are related to public key cryptography by containing a
public key. To be useful, there must be a corresponding private key
somewhere. With OpenSSL, public keys are easily derived from private
keys, so before you create a certificate or a certificate request, you
need to create a private key.

Private keys are generated with ‘openssl genrsa’ if you want a RSA
private key, or ‘openssl gendsa’ if you want a DSA private key.
Further information on how to create private keys can be found in
another HOWTO <keys.txt?>. The rest of this text assumes you have
a private key in the file privkey.pem.
3. Creating a certificate request

To create a certificate, you need to start with a certificate
request (or, as some certificate authorities like to put
it, “certificate signing request”, since that’s exactly what they do,
they sign it and give you the result back, thus making it authentic
according to their policies). A certificate request can then be sent
to a certificate authority to get it signed into a certificate, or if
you have your own certificate authority, you may sign it yourself, or
if you need a self-signed certificate (because you just want a test
certificate or because you are setting up your own CA).

The certificate request is created like this:

openssl req -new -key privkey.pem -out cert.csr

Now, cert.csr can be sent to the certificate authority, if they can
handle files in PEM format. If not, use the extra argument ‘-outform’
followed by the keyword for the format to use (see another HOWTO
<formats.txt?>). In some cases, that isn’t sufficient and you will
have to be more creative.

When the certificate authority has then done the checks the need to
do (and probably gotten payment from you), they will hand over your
new certificate to you.

Section 5 will tell you more on how to handle the certificate you
received.
4. Creating a self-signed test certificate

If you don’t want to deal with another certificate authority, or just
want to create a test certificate for yourself. This is similar to
creating a certificate request, but creates a certificate instead of
a certificate request. This is NOT the recommended way to create a
CA certificate, see ca.txt.

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

5. What to do with the certificate

If you created everything yourself, or if the certificate authority
was kind enough, your certificate is a raw DER thing in PEM format.
Your key most definitely is if you have followed the examples above.
However, some (most?) certificate authorities will encode them with
things like PKCS7 or PKCS12, or something else. Depending on your
applications, this may be perfectly OK, it all depends on what they
know how to decode. If not, There are a number of OpenSSL tools to
convert between some (most?) formats.

So, depending on your application, you may have to convert your
certificate and your key to various formats, most often also putting
them together into one file. The ways to do this is described in
another HOWTO <formats.txt?>, I will just mention the simplest case.
In the case of a raw DER thing in PEM format, and assuming that’s all
right for yor applications, simply concatenating the certificate and
the key into a new file and using that one should be enough. With
some applications, you don’t even have to do that.
By now, you have your cetificate and your private key and can start
using the software that depend on it.


Richard Levitte


Testing a Connection

openssl s_client -connect www.paypal.com:443