aboutsummaryrefslogtreecommitdiff
path: root/openssl/doc/HOWTO/keys.txt
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/doc/HOWTO/keys.txt')
-rw-r--r--openssl/doc/HOWTO/keys.txt73
1 files changed, 73 insertions, 0 deletions
diff --git a/openssl/doc/HOWTO/keys.txt b/openssl/doc/HOWTO/keys.txt
new file mode 100644
index 000000000..7ae2a3a11
--- /dev/null
+++ b/openssl/doc/HOWTO/keys.txt
@@ -0,0 +1,73 @@
+<DRAFT!>
+ HOWTO keys
+
+1. Introduction
+
+Keys are the basis of public key algorithms and PKI. Keys usually
+come in pairs, with one half being the public key and the other half
+being the private key. With OpenSSL, the private key contains the
+public key information as well, so a public key doesn't need to be
+generated separately.
+
+Public keys come in several flavors, using different cryptographic
+algorithms. The most popular ones associated with certificates are
+RSA and DSA, and this HOWTO will show how to generate each of them.
+
+
+2. To generate a RSA key
+
+A RSA key can be used both for encryption and for signing.
+
+Generating a key for the RSA algorithm is quite easy, all you have to
+do is the following:
+
+ openssl genrsa -des3 -out privkey.pem 2048
+
+With this variant, you will be prompted for a protecting password. If
+you don't want your key to be protected by a password, remove the flag
+'-des3' from the command line above.
+
+ NOTE: if you intend to use the key together with a server
+ certificate, it may be a good thing to avoid protecting it
+ with a password, since that would mean someone would have to
+ type in the password every time the server needs to access
+ the key.
+
+The number 2048 is the size of the key, in bits. Today, 2048 or
+higher is recommended for RSA keys, as fewer amount of bits is
+consider insecure or to be insecure pretty soon.
+
+
+3. To generate a DSA key
+
+A DSA key can be used for signing only. This is important to keep
+in mind to know what kind of purposes a certificate request with a
+DSA key can really be used for.
+
+Generating a key for the DSA algorithm is a two-step process. First,
+you have to generate parameters from which to generate the key:
+
+ openssl dsaparam -out dsaparam.pem 2048
+
+The number 2048 is the size of the key, in bits. Today, 2048 or
+higher is recommended for DSA keys, as fewer amount of bits is
+consider insecure or to be insecure pretty soon.
+
+When that is done, you can generate a key using the parameters in
+question (actually, several keys can be generated from the same
+parameters):
+
+ openssl gendsa -des3 -out privkey.pem dsaparam.pem
+
+With this variant, you will be prompted for a protecting password. If
+you don't want your key to be protected by a password, remove the flag
+'-des3' from the command line above.
+
+ NOTE: if you intend to use the key together with a server
+ certificate, it may be a good thing to avoid protecting it
+ with a password, since that would mean someone would have to
+ type in the password every time the server needs to access
+ the key.
+
+--
+Richard Levitte