summaryrefslogtreecommitdiff
path: root/share/man
diff options
context:
space:
mode:
authorStuart Henderson <sthen@cvs.openbsd.org>2013-03-07 13:19:55 +0000
committerStuart Henderson <sthen@cvs.openbsd.org>2013-03-07 13:19:55 +0000
commitf4b1cab25e3138b8d9fe0f06f49815d8894d03df (patch)
tree7bafacc0eb0fe04e070775db165d66a8cacac9af /share/man
parent557984bde594f4b22620c18c81dd3719a8943a67 (diff)
Add ECDSA instructions to ssl(8), with this and DSA's method now generating
a CSR first, then a self-signed cert as a separate step, using the -days and -sha256 options in the example. Syncs with style used for RSA here/faq and saves hair pulling if you actually want a CSR and don't notice the "-x509". Tweaks from jmc@, stsp and jung like the separate use of -days.
Diffstat (limited to 'share/man')
-rw-r--r--share/man/man8/ssl.862
1 files changed, 54 insertions, 8 deletions
diff --git a/share/man/man8/ssl.8 b/share/man/man8/ssl.8
index 2b7455e0ab3..95d79c8a4e1 100644
--- a/share/man/man8/ssl.8
+++ b/share/man/man8/ssl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssl.8,v 1.53 2012/11/27 01:02:07 djm Exp $
+.\" $OpenBSD: ssl.8,v 1.54 2013/03/07 13:19:54 sthen Exp $
.\"
.\" Copyright (c) 1999 Theo de Raadt, Bob Beck
.\" All rights reserved.
@@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: November 27 2012 $
+.Dd $Mdocdate: March 7 2013 $
.Dt SSL 8
.Os
.Sh NAME
@@ -150,17 +150,63 @@ The following command will generate 1024-bit keys:
# openssl dsaparam 1024 -out dsa1024.pem
.Ed
.Pp
-Once you have the DSA parameters generated, you can generate a certificate
-and unencrypted private key using the command:
+Once you have the DSA parameters generated, you can generate a
+CSR and unencrypted private key using the command:
.Bd -literal -offset indent
-# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \e
- -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem
+# openssl req -nodes -newkey dsa:dsa1024.pem \e
+ -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
.Ed
.Pp
To generate an encrypted private key, you would use:
.Bd -literal -offset indent
-# openssl req -x509 -newkey dsa:dsa1024.pem \e
- -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem
+# openssl req -newkey dsa:dsa1024.pem \e
+ -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem
+.Ed
+.Pp
+This
+.Pa server.csr
+file can then be given to a CA who will sign the key.
+.Pp
+You can also sign the key yourself, using the command:
+.Bd -literal -offset indent
+# openssl x509 -sha256 -req -days 365 \e
+ -in /etc/ssl/private/dsacert.csr \e
+ -signkey /etc/ssl/private/dsacert.key \e
+ -out /etc/ssl/dsacert.crt
+.Ed
+.Sh GENERATING ECDSA SERVER CERTIFICATES
+First, generate parameters for ECDSA keys.
+The following command will use a NIST/SECG curve over a 384-bit
+prime field:
+.Bd -literal -offset indent
+# openssl ecparam -out ec-secp384r1.pem -name secp384r1
+.Ed
+.Pp
+Once you have the ECDSA parameters generated, you can generate a
+CSR and unencrypted private key using the command:
+.Bd -literal -offset indent
+# openssl req -nodes -newkey ec:ec-secp384r1.pem \e
+ -keyout /etc/ssl/private/eccert.key -new \e
+ -out /etc/ssl/private/eccert.csr
+.Ed
+.Pp
+To generate an encrypted private key, you would use:
+.Bd -literal -offset indent
+# openssl req -newkey ec:ec-secp384r1.pem \e
+ -keyout /etc/ssl/private/eccert.key -new \e
+ -out /etc/ssl/private/eccert.csr
+.Ed
+.Pp
+This
+.Pa eccert.csr
+file can then be given to a CA who will sign the key.
+.Pp
+You can also sign the key yourself, using the command:
+.Bd -literal -offset indent
+# openssl x509 -sha256 -req -days 365 \e
+ -in /etc/ssl/private/eccert.csr \e
+ -signkey /etc/ssl/private/eccert.key \e
+ -out /etc/ssl/eccert.crt
.Ed
.Sh USING SSL/TLS WITH SENDMAIL
By default,