summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarc Espie <espie@cvs.openbsd.org>2008-12-16 17:40:05 +0000
committerMarc Espie <espie@cvs.openbsd.org>2008-12-16 17:40:05 +0000
commit5bb7173ef215e2abaccb85075762119ec70aabaf (patch)
tree606283ec44f15667f66b54c6aaa4459f802c71cc
parent7c0ac147ef5862f46ff1ae78fd2381249cc49185 (diff)
reorder so that web certificates are more obvious.
Avoid the classical noob problem: read half the manpage, figure out how to build a DSA certificate, then realize it's not what you need. historically, RSA was patented, and so it made sense to put DSA first. But the patent expired a few years ago... okay millert@, jmc@
-rw-r--r--share/man/man8/ssl.870
1 files changed, 35 insertions, 35 deletions
diff --git a/share/man/man8/ssl.8 b/share/man/man8/ssl.8
index b0eecd9c996..d3436f97547 100644
--- a/share/man/man8/ssl.8
+++ b/share/man/man8/ssl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssl.8,v 1.44 2007/05/31 19:19:59 jmc Exp $
+.\" $OpenBSD: ssl.8,v 1.45 2008/12/16 17:40:04 espie Exp $
.\"
.\" Copyright (c) 1999 Theo de Raadt, Bob Beck
.\" All rights reserved.
@@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: December 16 2008 $
.Dt SSL 8
.Os
.Sh NAME
@@ -101,39 +101,6 @@ However, it is important to note that encrypted server keys mean that the
passphrase needs to be typed in every time the server is started.
If a passphrase is not used, you will need to be absolutely sure your
key file is kept secure.
-.Sh GENERATING DSA SERVER CERTIFICATES
-Generating a
-.Ar DSA
-certificate involves several steps.
-First, you generate a
-.Ar DSA
-parameter set with a command like the following:
-.Bd -literal -offset indent
-# openssl dsaparam 1024 -out dsa1024.pem
-.Ed
-.Pp
-Would generate
-.Ar DSA
-parameters for 1024 bit
-.Ar DSA
-keys, and save them to the
-file
-.Pa dsa1024.pem .
-.Pp
-Once you have the
-.Ar DSA
-parameters generated, you can generate a certificate
-and unencrypted private key using the command:
-.Bd -literal -offset indent
-# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \\
- -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem
-.Ed
-.Pp
-To generate an encrypted private key, you would use:
-.Bd -literal -offset indent
-# openssl req -x509 -newkey dsa:dsa1024.pem \\
- -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem
-.Ed
.Sh GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS
To support
.Ar https
@@ -198,6 +165,39 @@ you can switch to using the new certificate by replacing the self-signed
with the certificate signed by your Certifying Authority, and then
restarting
.Xr httpd 8
+.Sh GENERATING DSA SERVER CERTIFICATES
+Generating a
+.Ar DSA
+certificate involves several steps.
+First, you generate a
+.Ar DSA
+parameter set with a command like the following:
+.Bd -literal -offset indent
+# openssl dsaparam 1024 -out dsa1024.pem
+.Ed
+.Pp
+Would generate
+.Ar DSA
+parameters for 1024 bit
+.Ar DSA
+keys, and save them to the
+file
+.Pa dsa1024.pem .
+.Pp
+Once you have the
+.Ar DSA
+parameters generated, you can generate a certificate
+and unencrypted private key using the command:
+.Bd -literal -offset indent
+# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \\
+ -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem
+.Ed
+.Pp
+To generate an encrypted private key, you would use:
+.Bd -literal -offset indent
+# openssl req -x509 -newkey dsa:dsa1024.pem \\
+ -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem
+.Ed
.Sh USING SSL/TLS WITH SENDMAIL
By default,
.Xr sendmail 8