| keys.txt (1.1.1.2) | keys.txt (1.1.1.3) |
|---|---|
| 1<DRAFT!> 2 HOWTO keys 3 41. Introduction 5 6Keys are the basis of public key algorithms and PKI. Keys usually 7come in pairs, with one half being the public key and the other half 8being the private key. With OpenSSL, the private key contains the --- 13 unchanged lines hidden (view full) --- 22do is the following: 23 24 openssl genrsa -des3 -out privkey.pem 2048 25 26With this variant, you will be prompted for a protecting password. If 27you don't want your key to be protected by a password, remove the flag 28'-des3' from the command line above. 29 | 1<DRAFT!> 2 HOWTO keys 3 41. Introduction 5 6Keys are the basis of public key algorithms and PKI. Keys usually 7come in pairs, with one half being the public key and the other half 8being the private key. With OpenSSL, the private key contains the --- 13 unchanged lines hidden (view full) --- 22do is the following: 23 24 openssl genrsa -des3 -out privkey.pem 2048 25 26With this variant, you will be prompted for a protecting password. If 27you don't want your key to be protected by a password, remove the flag 28'-des3' from the command line above. 29 |
| 30 NOTE: if you intend to use the key together with a server 31 certificate, it may be a good thing to avoid protecting it 32 with a password, since that would mean someone would have to 33 type in the password every time the server needs to access 34 the key. 35 | |
| 36The number 2048 is the size of the key, in bits. Today, 2048 or 37higher is recommended for RSA keys, as fewer amount of bits is 38consider insecure or to be insecure pretty soon. 39 40 413. To generate a DSA key 42 43A DSA key can be used for signing only. It is important to --- 13 unchanged lines hidden (view full) --- 57parameters): 58 59 openssl gendsa -des3 -out privkey.pem dsaparam.pem 60 61With this variant, you will be prompted for a protecting password. If 62you don't want your key to be protected by a password, remove the flag 63'-des3' from the command line above. 64 | 30The number 2048 is the size of the key, in bits. Today, 2048 or 31higher is recommended for RSA keys, as fewer amount of bits is 32consider insecure or to be insecure pretty soon. 33 34 353. To generate a DSA key 36 37A DSA key can be used for signing only. It is important to --- 13 unchanged lines hidden (view full) --- 51parameters): 52 53 openssl gendsa -des3 -out privkey.pem dsaparam.pem 54 55With this variant, you will be prompted for a protecting password. If 56you don't want your key to be protected by a password, remove the flag 57'-des3' from the command line above. 58 |
| 65 NOTE: if you intend to use the key together with a server 66 certificate, it may be a good thing to avoid protecting it 67 with a password, since that would mean someone would have to 68 type in the password every time the server needs to access 69 the key. | |
| 70 | 59 |
| 71-- 72Richard Levitte | 604. To generate an EC key 61 62An EC key can be used both for key agreement (ECDH) and signing (ECDSA). 63 64Generating a key for ECC is similar to generating a DSA key. These are 65two-step processes. First, you have to get the EC parameters from which 66the key will be generated: 67 68 openssl ecparam -name prime256v1 -out prime256v1.pem 69 70The prime256v1, or NIST P-256, which stands for 'X9.62/SECG curve over 71a 256-bit prime field', is the name of an elliptic curve which generates the 72parameters. You can use the following command to list all supported curves: 73 74 openssl ecparam -list_curves 75 76When that is done, you can generate a key using the created parameters (several 77keys can be produced from the same parameters): 78 79 openssl genpkey -des3 -paramfile prime256v1.pem -out private.key 80 81With this variant, you will be prompted for a password to protect your key. 82If you don't want your key to be protected by a password, remove the flag 83'-des3' from the command line above. 84 85You can also directly generate the key in one step: 86 87 openssl ecparam -genkey -name prime256v1 -out private.key 88 89or 90 91 openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 92 93 945. NOTE 95 96If you intend to use the key together with a server certificate, 97it may be reasonable to avoid protecting it with a password, since 98otherwise someone would have to type in the password every time the 99server needs to access the key. 100 101For X25519, it's treated as a distinct algorithm but not as one of 102the curves listed with 'ecparam -list_curves' option. You can use 103the following command to generate an X25519 key: 104 105 openssl genpkey -algorithm X25519 -out xkey.pem |