"Fossies" - the Fresh Open Source Software Archive

Member "openssl-1.1.1b/doc/HOWTO/keys.txt" (26 Feb 2019, 3653 Bytes) of package /linux/misc/openssl-1.1.1b.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "keys.txt": 1.1.0i_vs_1.1.1.

    1 <DRAFT!>
    2 			HOWTO keys
    3 
    4 1. Introduction
    5 
    6 Keys are the basis of public key algorithms and PKI.  Keys usually
    7 come in pairs, with one half being the public key and the other half
    8 being the private key.  With OpenSSL, the private key contains the
    9 public key information as well, so a public key doesn't need to be
   10 generated separately.
   11 
   12 Public keys come in several flavors, using different cryptographic
   13 algorithms.  The most popular ones associated with certificates are
   14 RSA and DSA, and this HOWTO will show how to generate each of them.
   15 
   16 
   17 2. To generate a RSA key
   18 
   19 A RSA key can be used both for encryption and for signing.
   20 
   21 Generating a key for the RSA algorithm is quite easy, all you have to
   22 do is the following:
   23 
   24   openssl genrsa -des3 -out privkey.pem 2048
   25 
   26 With this variant, you will be prompted for a protecting password.  If
   27 you don't want your key to be protected by a password, remove the flag
   28 '-des3' from the command line above.
   29 
   30 The number 2048 is the size of the key, in bits.  Today, 2048 or
   31 higher is recommended for RSA keys, as fewer amount of bits is
   32 consider insecure or to be insecure pretty soon.
   33 
   34 
   35 3. To generate a DSA key
   36 
   37 A DSA key can be used for signing only.  It is important to
   38 know what a certificate request with a DSA key can really be used for.
   39 
   40 Generating a key for the DSA algorithm is a two-step process.  First,
   41 you have to generate parameters from which to generate the key:
   42 
   43   openssl dsaparam -out dsaparam.pem 2048
   44 
   45 The number 2048 is the size of the key, in bits.  Today, 2048 or
   46 higher is recommended for DSA keys, as fewer amount of bits is
   47 consider insecure or to be insecure pretty soon.
   48 
   49 When that is done, you can generate a key using the parameters in
   50 question (actually, several keys can be generated from the same
   51 parameters):
   52 
   53   openssl gendsa -des3 -out privkey.pem dsaparam.pem
   54 
   55 With this variant, you will be prompted for a protecting password.  If
   56 you don't want your key to be protected by a password, remove the flag
   57 '-des3' from the command line above.
   58 
   59 
   60 4. To generate an EC key
   61 
   62 An EC key can be used both for key agreement (ECDH) and signing (ECDSA).
   63 
   64 Generating a key for ECC is similar to generating a DSA key. These are
   65 two-step processes. First, you have to get the EC parameters from which
   66 the key will be generated:
   67 
   68   openssl ecparam -name prime256v1 -out prime256v1.pem
   69 
   70 The prime256v1, or NIST P-256, which stands for 'X9.62/SECG curve over
   71 a 256-bit prime field', is the name of an elliptic curve which generates the
   72 parameters. You can use the following command to list all supported curves:
   73 
   74   openssl ecparam -list_curves
   75 
   76 When that is done, you can generate a key using the created parameters (several
   77 keys can be produced from the same parameters):
   78 
   79   openssl genpkey -des3 -paramfile prime256v1.pem -out private.key
   80 
   81 With this variant, you will be prompted for a password to protect your key.
   82 If you don't want your key to be protected by a password, remove the flag
   83 '-des3' from the command line above.
   84 
   85 You can also directly generate the key in one step:
   86 
   87   openssl ecparam -genkey -name prime256v1 -out private.key
   88 
   89 or
   90 
   91   openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256
   92 
   93 
   94 5. NOTE
   95 
   96 If you intend to use the key together with a server certificate,
   97 it may be reasonable to avoid protecting it with a password, since
   98 otherwise someone would have to type in the password every time the
   99 server needs to access the key.
  100 
  101 For X25519 and X448, it's treated as a distinct algorithm but not as one of
  102 the curves listed with 'ecparam -list_curves' option. You can use
  103 the following command to generate an X25519 key:
  104 
  105   openssl genpkey -algorithm X25519 -out xkey.pem