From 5bb7173ef215e2abaccb85075762119ec70aabaf Mon Sep 17 00:00:00 2001 From: Marc Espie Date: Tue, 16 Dec 2008 17:40:05 +0000 Subject: reorder so that web certificates are more obvious. Avoid the classical noob problem: read half the manpage, figure out how to build a DSA certificate, then realize it's not what you need. historically, RSA was patented, and so it made sense to put DSA first. But the patent expired a few years ago... okay millert@, jmc@ --- share/man/man8/ssl.8 | 70 ++++++++++++++++++++++++++-------------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/share/man/man8/ssl.8 b/share/man/man8/ssl.8 index b0eecd9c996..d3436f97547 100644 --- a/share/man/man8/ssl.8 +++ b/share/man/man8/ssl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssl.8,v 1.44 2007/05/31 19:19:59 jmc Exp $ +.\" $OpenBSD: ssl.8,v 1.45 2008/12/16 17:40:04 espie Exp $ .\" .\" Copyright (c) 1999 Theo de Raadt, Bob Beck .\" All rights reserved. @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: December 16 2008 $ .Dt SSL 8 .Os .Sh NAME @@ -101,39 +101,6 @@ However, it is important to note that encrypted server keys mean that the passphrase needs to be typed in every time the server is started. If a passphrase is not used, you will need to be absolutely sure your key file is kept secure. -.Sh GENERATING DSA SERVER CERTIFICATES -Generating a -.Ar DSA -certificate involves several steps. -First, you generate a -.Ar DSA -parameter set with a command like the following: -.Bd -literal -offset indent -# openssl dsaparam 1024 -out dsa1024.pem -.Ed -.Pp -Would generate -.Ar DSA -parameters for 1024 bit -.Ar DSA -keys, and save them to the -file -.Pa dsa1024.pem . -.Pp -Once you have the -.Ar DSA -parameters generated, you can generate a certificate -and unencrypted private key using the command: -.Bd -literal -offset indent -# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \\ - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem -.Ed -.Pp -To generate an encrypted private key, you would use: -.Bd -literal -offset indent -# openssl req -x509 -newkey dsa:dsa1024.pem \\ - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem -.Ed .Sh GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS To support .Ar https @@ -198,6 +165,39 @@ you can switch to using the new certificate by replacing the self-signed with the certificate signed by your Certifying Authority, and then restarting .Xr httpd 8 +.Sh GENERATING DSA SERVER CERTIFICATES +Generating a +.Ar DSA +certificate involves several steps. +First, you generate a +.Ar DSA +parameter set with a command like the following: +.Bd -literal -offset indent +# openssl dsaparam 1024 -out dsa1024.pem +.Ed +.Pp +Would generate +.Ar DSA +parameters for 1024 bit +.Ar DSA +keys, and save them to the +file +.Pa dsa1024.pem . +.Pp +Once you have the +.Ar DSA +parameters generated, you can generate a certificate +and unencrypted private key using the command: +.Bd -literal -offset indent +# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \\ + -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +.Ed +.Pp +To generate an encrypted private key, you would use: +.Bd -literal -offset indent +# openssl req -x509 -newkey dsa:dsa1024.pem \\ + -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +.Ed .Sh USING SSL/TLS WITH SENDMAIL By default, .Xr sendmail 8 -- cgit v1.2.3