diff options
| author | Marc Espie <espie@cvs.openbsd.org> | 2008-12-16 17:40:05 +0000 |
|---|---|---|
| committer | Marc Espie <espie@cvs.openbsd.org> | 2008-12-16 17:40:05 +0000 |
| commit | 5bb7173ef215e2abaccb85075762119ec70aabaf (patch) | |
| tree | 606283ec44f15667f66b54c6aaa4459f802c71cc /share/man/man8 | |
| parent | 7c0ac147ef5862f46ff1ae78fd2381249cc49185 (diff) | |
reorder so that web certificates are more obvious.
Avoid the classical noob problem: read half the manpage, figure out
how to build a DSA certificate, then realize it's not what you need.
historically, RSA was patented, and so it made sense to put DSA first.
But the patent expired a few years ago...
okay millert@, jmc@
Diffstat (limited to 'share/man/man8')
| -rw-r--r-- | share/man/man8/ssl.8 | 70 |
1 files changed, 35 insertions, 35 deletions
diff --git a/share/man/man8/ssl.8 b/share/man/man8/ssl.8 index b0eecd9c996..d3436f97547 100644 --- a/share/man/man8/ssl.8 +++ b/share/man/man8/ssl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssl.8,v 1.44 2007/05/31 19:19:59 jmc Exp $ +.\" $OpenBSD: ssl.8,v 1.45 2008/12/16 17:40:04 espie Exp $ .\" .\" Copyright (c) 1999 Theo de Raadt, Bob Beck .\" All rights reserved. @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: December 16 2008 $ .Dt SSL 8 .Os .Sh NAME @@ -101,39 +101,6 @@ However, it is important to note that encrypted server keys mean that the passphrase needs to be typed in every time the server is started. If a passphrase is not used, you will need to be absolutely sure your key file is kept secure. -.Sh GENERATING DSA SERVER CERTIFICATES -Generating a -.Ar DSA -certificate involves several steps. -First, you generate a -.Ar DSA -parameter set with a command like the following: -.Bd -literal -offset indent -# openssl dsaparam 1024 -out dsa1024.pem -.Ed -.Pp -Would generate -.Ar DSA -parameters for 1024 bit -.Ar DSA -keys, and save them to the -file -.Pa dsa1024.pem . -.Pp -Once you have the -.Ar DSA -parameters generated, you can generate a certificate -and unencrypted private key using the command: -.Bd -literal -offset indent -# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \\ - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem -.Ed -.Pp -To generate an encrypted private key, you would use: -.Bd -literal -offset indent -# openssl req -x509 -newkey dsa:dsa1024.pem \\ - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem -.Ed .Sh GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS To support .Ar https @@ -198,6 +165,39 @@ you can switch to using the new certificate by replacing the self-signed with the certificate signed by your Certifying Authority, and then restarting .Xr httpd 8 +.Sh GENERATING DSA SERVER CERTIFICATES +Generating a +.Ar DSA +certificate involves several steps. +First, you generate a +.Ar DSA +parameter set with a command like the following: +.Bd -literal -offset indent +# openssl dsaparam 1024 -out dsa1024.pem +.Ed +.Pp +Would generate +.Ar DSA +parameters for 1024 bit +.Ar DSA +keys, and save them to the +file +.Pa dsa1024.pem . +.Pp +Once you have the +.Ar DSA +parameters generated, you can generate a certificate +and unencrypted private key using the command: +.Bd -literal -offset indent +# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \\ + -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +.Ed +.Pp +To generate an encrypted private key, you would use: +.Bd -literal -offset indent +# openssl req -x509 -newkey dsa:dsa1024.pem \\ + -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +.Ed .Sh USING SSL/TLS WITH SENDMAIL By default, .Xr sendmail 8 |