1120631Snectar<DRAFT!> 2120631Snectar HOWTO keys 3120631Snectar 4120631Snectar1. Introduction 5120631Snectar 6120631SnectarKeys are the basis of public key algorithms and PKI. Keys usually 7120631Snectarcome in pairs, with one half being the public key and the other half 8120631Snectarbeing the private key. With OpenSSL, the private key contains the 9120631Snectarpublic key information as well, so a public key doesn't need to be 10120631Snectargenerated separately. 11120631Snectar 12120631SnectarPublic keys come in several flavors, using different cryptographic 13120631Snectaralgorithms. The most popular ones associated with certificates are 14120631SnectarRSA and DSA, and this HOWTO will show how to generate each of them. 15120631Snectar 16120631Snectar 17120631Snectar2. To generate a RSA key 18120631Snectar 19120631SnectarA RSA key can be used both for encryption and for signing. 20120631Snectar 21120631SnectarGenerating a key for the RSA algorithm is quite easy, all you have to 22120631Snectardo is the following: 23120631Snectar 24120631Snectar openssl genrsa -des3 -out privkey.pem 2048 25120631Snectar 26120631SnectarWith this variant, you will be prompted for a protecting password. If 27120631Snectaryou don't want your key to be protected by a password, remove the flag 28120631Snectar'-des3' from the command line above. 29120631Snectar 30120631Snectar NOTE: if you intend to use the key together with a server 31120631Snectar certificate, it may be a good thing to avoid protecting it 32120631Snectar with a password, since that would mean someone would have to 33120631Snectar type in the password every time the server needs to access 34120631Snectar the key. 35120631Snectar 36120631SnectarThe number 2048 is the size of the key, in bits. Today, 2048 or 37120631Snectarhigher is recommended for RSA keys, as fewer amount of bits is 38120631Snectarconsider insecure or to be insecure pretty soon. 39120631Snectar 40120631Snectar 41120631Snectar3. To generate a DSA key 42120631Snectar 43160814SsimonA DSA key can be used for signing only. This is important to keep 44160814Ssimonin mind to know what kind of purposes a certificate request with a 45160814SsimonDSA key can really be used for. 46120631Snectar 47120631SnectarGenerating a key for the DSA algorithm is a two-step process. First, 48120631Snectaryou have to generate parameters from which to generate the key: 49120631Snectar 50120631Snectar openssl dsaparam -out dsaparam.pem 2048 51120631Snectar 52120631SnectarThe number 2048 is the size of the key, in bits. Today, 2048 or 53120631Snectarhigher is recommended for DSA keys, as fewer amount of bits is 54120631Snectarconsider insecure or to be insecure pretty soon. 55120631Snectar 56120631SnectarWhen that is done, you can generate a key using the parameters in 57120631Snectarquestion (actually, several keys can be generated from the same 58120631Snectarparameters): 59120631Snectar 60120631Snectar openssl gendsa -des3 -out privkey.pem dsaparam.pem 61120631Snectar 62120631SnectarWith this variant, you will be prompted for a protecting password. If 63120631Snectaryou don't want your key to be protected by a password, remove the flag 64120631Snectar'-des3' from the command line above. 65120631Snectar 66120631Snectar NOTE: if you intend to use the key together with a server 67120631Snectar certificate, it may be a good thing to avoid protecting it 68120631Snectar with a password, since that would mean someone would have to 69120631Snectar type in the password every time the server needs to access 70120631Snectar the key. 71120631Snectar 72120631Snectar-- 73120631SnectarRichard Levitte 74