diff options
author | Stuart Henderson <sthen@cvs.openbsd.org> | 2013-03-07 13:19:55 +0000 |
---|---|---|
committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2013-03-07 13:19:55 +0000 |
commit | f4b1cab25e3138b8d9fe0f06f49815d8894d03df (patch) | |
tree | 7bafacc0eb0fe04e070775db165d66a8cacac9af /share/man | |
parent | 557984bde594f4b22620c18c81dd3719a8943a67 (diff) |
Add ECDSA instructions to ssl(8), with this and DSA's method now generating
a CSR first, then a self-signed cert as a separate step, using the -days and
-sha256 options in the example. Syncs with style used for RSA here/faq and
saves hair pulling if you actually want a CSR and don't notice the "-x509".
Tweaks from jmc@, stsp and jung like the separate use of -days.
Diffstat (limited to 'share/man')
-rw-r--r-- | share/man/man8/ssl.8 | 62 |
1 files changed, 54 insertions, 8 deletions
diff --git a/share/man/man8/ssl.8 b/share/man/man8/ssl.8 index 2b7455e0ab3..95d79c8a4e1 100644 --- a/share/man/man8/ssl.8 +++ b/share/man/man8/ssl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssl.8,v 1.53 2012/11/27 01:02:07 djm Exp $ +.\" $OpenBSD: ssl.8,v 1.54 2013/03/07 13:19:54 sthen Exp $ .\" .\" Copyright (c) 1999 Theo de Raadt, Bob Beck .\" All rights reserved. @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2012 $ +.Dd $Mdocdate: March 7 2013 $ .Dt SSL 8 .Os .Sh NAME @@ -150,17 +150,63 @@ The following command will generate 1024-bit keys: # openssl dsaparam 1024 -out dsa1024.pem .Ed .Pp -Once you have the DSA parameters generated, you can generate a certificate -and unencrypted private key using the command: +Once you have the DSA parameters generated, you can generate a +CSR and unencrypted private key using the command: .Bd -literal -offset indent -# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -nodes -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem .Ed .Pp To generate an encrypted private key, you would use: .Bd -literal -offset indent -# openssl req -x509 -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem +.Ed +.Pp +This +.Pa server.csr +file can then be given to a CA who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/dsacert.csr \e + -signkey /etc/ssl/private/dsacert.key \e + -out /etc/ssl/dsacert.crt +.Ed +.Sh GENERATING ECDSA SERVER CERTIFICATES +First, generate parameters for ECDSA keys. +The following command will use a NIST/SECG curve over a 384-bit +prime field: +.Bd -literal -offset indent +# openssl ecparam -out ec-secp384r1.pem -name secp384r1 +.Ed +.Pp +Once you have the ECDSA parameters generated, you can generate a +CSR and unencrypted private key using the command: +.Bd -literal -offset indent +# openssl req -nodes -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +To generate an encrypted private key, you would use: +.Bd -literal -offset indent +# openssl req -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +This +.Pa eccert.csr +file can then be given to a CA who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/eccert.csr \e + -signkey /etc/ssl/private/eccert.key \e + -out /etc/ssl/eccert.crt .Ed .Sh USING SSL/TLS WITH SENDMAIL By default, |