aboutsummaryrefslogtreecommitdiff
path: root/openssl-1.1.0h/doc/HOWTO/keys.txt
diff options
context:
space:
mode:
Diffstat (limited to 'openssl-1.1.0h/doc/HOWTO/keys.txt')
-rw-r--r--openssl-1.1.0h/doc/HOWTO/keys.txt105
1 files changed, 105 insertions, 0 deletions
diff --git a/openssl-1.1.0h/doc/HOWTO/keys.txt b/openssl-1.1.0h/doc/HOWTO/keys.txt
new file mode 100644
index 0000000..1662c17
--- /dev/null
+++ b/openssl-1.1.0h/doc/HOWTO/keys.txt
@@ -0,0 +1,105 @@
+<DRAFT!>
+ HOWTO keys
+
+1. Introduction
+
+Keys are the basis of public key algorithms and PKI. Keys usually
+come in pairs, with one half being the public key and the other half
+being the private key. With OpenSSL, the private key contains the
+public key information as well, so a public key doesn't need to be
+generated separately.
+
+Public keys come in several flavors, using different cryptographic
+algorithms. The most popular ones associated with certificates are
+RSA and DSA, and this HOWTO will show how to generate each of them.
+
+
+2. To generate a RSA key
+
+A RSA key can be used both for encryption and for signing.
+
+Generating a key for the RSA algorithm is quite easy, all you have to
+do is the following:
+
+ openssl genrsa -des3 -out privkey.pem 2048
+
+With this variant, you will be prompted for a protecting password. If
+you don't want your key to be protected by a password, remove the flag
+'-des3' from the command line above.
+
+The number 2048 is the size of the key, in bits. Today, 2048 or
+higher is recommended for RSA keys, as fewer amount of bits is
+consider insecure or to be insecure pretty soon.
+
+
+3. To generate a DSA key
+
+A DSA key can be used for signing only. It is important to
+know what a certificate request with a DSA key can really be used for.
+
+Generating a key for the DSA algorithm is a two-step process. First,
+you have to generate parameters from which to generate the key:
+
+ openssl dsaparam -out dsaparam.pem 2048
+
+The number 2048 is the size of the key, in bits. Today, 2048 or
+higher is recommended for DSA keys, as fewer amount of bits is
+consider insecure or to be insecure pretty soon.
+
+When that is done, you can generate a key using the parameters in
+question (actually, several keys can be generated from the same
+parameters):
+
+ openssl gendsa -des3 -out privkey.pem dsaparam.pem
+
+With this variant, you will be prompted for a protecting password. If
+you don't want your key to be protected by a password, remove the flag
+'-des3' from the command line above.
+
+
+4. To generate an EC key
+
+An EC key can be used both for key agreement (ECDH) and signing (ECDSA).
+
+Generating a key for ECC is similar to generating a DSA key. These are
+two-step processes. First, you have to get the EC parameters from which
+the key will be generated:
+
+ openssl ecparam -name prime256v1 -out prime256v1.pem
+
+The prime256v1, or NIST P-256, which stands for 'X9.62/SECG curve over
+a 256-bit prime field', is the name of an elliptic curve which generates the
+parameters. You can use the following command to list all supported curves:
+
+ openssl ecparam -list_curves
+
+When that is done, you can generate a key using the created parameters (several
+keys can be produced from the same parameters):
+
+ openssl genpkey -des3 -paramfile prime256v1.pem -out private.key
+
+With this variant, you will be prompted for a password to protect your key.
+If you don't want your key to be protected by a password, remove the flag
+'-des3' from the command line above.
+
+You can also directly generate the key in one step:
+
+ openssl ecparam -genkey -name prime256v1 -out private.key
+
+or
+
+ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256
+
+
+5. NOTE
+
+If you intend to use the key together with a server certificate,
+it may be reasonable to avoid protecting it with a password, since
+otherwise someone would have to type in the password every time the
+server needs to access the key.
+
+For X25519, it's treated as a distinct algorithm but not as one of
+the curves listed with 'ecparam -list_curves' option. You can use
+the following command to generate an X25519 key:
+
+ openssl genpkey -algorithm X25519 -out xkey.pem