1109998Smarkm<DRAFT!> 2109998Smarkm HOWTO certificates 3109998Smarkm 4111147Snectar1. Introduction 5111147Snectar 6276864SjkimHow you handle certificates depends a great deal on what your role is. 7109998SmarkmYour role can be one or several of: 8109998Smarkm 9276864Sjkim - User of some client application 10276864Sjkim - User of some server application 11109998Smarkm - Certificate authority 12109998Smarkm 13109998SmarkmThis file is for users who wish to get a certificate of their own. 14276864SjkimCertificate authorities should read https://www.openssl.org/docs/apps/ca.html. 15109998Smarkm 16109998SmarkmIn all the cases shown below, the standard configuration file, as 17109998Smarkmcompiled into openssl, will be used. You may find it in /etc/, 18276864Sjkim/usr/local/ssl/ or somewhere else. By default the file is named 19276864Sjkimopenssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. 20276864SjkimYou can specify a different configuration file using the 21276864Sjkim'-config {file}' argument with the commands shown below. 22109998Smarkm 23109998Smarkm 24111147Snectar2. Relationship with keys 25111147Snectar 26109998SmarkmCertificates are related to public key cryptography by containing a 27109998Smarkmpublic key. To be useful, there must be a corresponding private key 28109998Smarkmsomewhere. With OpenSSL, public keys are easily derived from private 29109998Smarkmkeys, so before you create a certificate or a certificate request, you 30109998Smarkmneed to create a private key. 31109998Smarkm 32276864SjkimPrivate keys are generated with 'openssl genrsa -out privkey.pem' if 33276864Sjkimyou want a RSA private key, or if you want a DSA private key: 34276864Sjkim'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'. 35109998Smarkm 36276864SjkimThe private keys created by these commands are not passphrase protected; 37276864Sjkimit might or might not be the desirable thing. Further information on how to 38276864Sjkimcreate private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. 39276864SjkimThe rest of this text assumes you have a private key in the file privkey.pem. 40109998Smarkm 41276864Sjkim 42111147Snectar3. Creating a certificate request 43111147Snectar 44276864SjkimTo create a certificate, you need to start with a certificate request 45276864Sjkim(or, as some certificate authorities like to put it, "certificate 46276864Sjkimsigning request", since that's exactly what they do, they sign it and 47276864Sjkimgive you the result back, thus making it authentic according to their 48276864Sjkimpolicies). A certificate request is sent to a certificate authority 49276864Sjkimto get it signed into a certificate. You can also sign the certificate 50276864Sjkimyourself if you have your own certificate authority or create a 51276864Sjkimself-signed certificate (typically for testing purpose). 52109998Smarkm 53120631SnectarThe certificate request is created like this: 54111147Snectar 55109998Smarkm openssl req -new -key privkey.pem -out cert.csr 56109998Smarkm 57109998SmarkmNow, cert.csr can be sent to the certificate authority, if they can 58109998Smarkmhandle files in PEM format. If not, use the extra argument '-outform' 59109998Smarkmfollowed by the keyword for the format to use (see another HOWTO 60276864Sjkim<formats.txt?>). In some cases, -outform does not let you output the 61276864Sjkimcertificate request in the right format and you will have to use one 62276864Sjkimof the various other commands that are exposed by openssl (or get 63276864Sjkimcreative and use a combination of tools). 64109998Smarkm 65276864SjkimThe certificate authority performs various checks (according to their 66276864Sjkimpolicies) and usually waits for payment from you. Once that is 67276864Sjkimcomplete, they send you your new certificate. 68109998Smarkm 69111147SnectarSection 5 will tell you more on how to handle the certificate you 70111147Snectarreceived. 71109998Smarkm 72109998Smarkm 73160814Ssimon4. Creating a self-signed test certificate 74109998Smarkm 75276864SjkimYou can create a self-signed certificate if you don't want to deal 76276864Sjkimwith a certificate authority, or if you just want to create a test 77276864Sjkimcertificate for yourself. This is similar to creating a certificate 78276864Sjkimrequest, but creates a certificate instead of a certificate request. 79276864SjkimThis is NOT the recommended way to create a CA certificate, see 80276864Sjkimhttps://www.openssl.org/docs/apps/ca.html. 81111147Snectar 82120631Snectar openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 83111147Snectar 84111147Snectar 85111147Snectar5. What to do with the certificate 86111147Snectar 87109998SmarkmIf you created everything yourself, or if the certificate authority 88109998Smarkmwas kind enough, your certificate is a raw DER thing in PEM format. 89109998SmarkmYour key most definitely is if you have followed the examples above. 90109998SmarkmHowever, some (most?) certificate authorities will encode them with 91109998Smarkmthings like PKCS7 or PKCS12, or something else. Depending on your 92109998Smarkmapplications, this may be perfectly OK, it all depends on what they 93109998Smarkmknow how to decode. If not, There are a number of OpenSSL tools to 94109998Smarkmconvert between some (most?) formats. 95109998Smarkm 96109998SmarkmSo, depending on your application, you may have to convert your 97109998Smarkmcertificate and your key to various formats, most often also putting 98109998Smarkmthem together into one file. The ways to do this is described in 99109998Smarkmanother HOWTO <formats.txt?>, I will just mention the simplest case. 100109998SmarkmIn the case of a raw DER thing in PEM format, and assuming that's all 101276864Sjkimright for your applications, simply concatenating the certificate and 102109998Smarkmthe key into a new file and using that one should be enough. With 103109998Smarkmsome applications, you don't even have to do that. 104109998Smarkm 105109998Smarkm 106276864SjkimBy now, you have your certificate and your private key and can start 107276864Sjkimusing applications that depend on it. 108109998Smarkm 109109998Smarkm-- 110109998SmarkmRichard Levitte 111