From aa4d426b4d3527d7e166df1a05058c9a4a0f6683 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Fri, 30 Apr 2021 00:33:56 +0200 Subject: initial/final commit --- openssl-1.1.0h/doc/HOWTO/keys.txt | 105 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 openssl-1.1.0h/doc/HOWTO/keys.txt (limited to 'openssl-1.1.0h/doc/HOWTO/keys.txt') diff --git a/openssl-1.1.0h/doc/HOWTO/keys.txt b/openssl-1.1.0h/doc/HOWTO/keys.txt new file mode 100644 index 0000000..1662c17 --- /dev/null +++ b/openssl-1.1.0h/doc/HOWTO/keys.txt @@ -0,0 +1,105 @@ + + HOWTO keys + +1. Introduction + +Keys are the basis of public key algorithms and PKI. Keys usually +come in pairs, with one half being the public key and the other half +being the private key. With OpenSSL, the private key contains the +public key information as well, so a public key doesn't need to be +generated separately. + +Public keys come in several flavors, using different cryptographic +algorithms. The most popular ones associated with certificates are +RSA and DSA, and this HOWTO will show how to generate each of them. + + +2. To generate a RSA key + +A RSA key can be used both for encryption and for signing. + +Generating a key for the RSA algorithm is quite easy, all you have to +do is the following: + + openssl genrsa -des3 -out privkey.pem 2048 + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for RSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + + +3. To generate a DSA key + +A DSA key can be used for signing only. It is important to +know what a certificate request with a DSA key can really be used for. + +Generating a key for the DSA algorithm is a two-step process. First, +you have to generate parameters from which to generate the key: + + openssl dsaparam -out dsaparam.pem 2048 + +The number 2048 is the size of the key, in bits. Today, 2048 or +higher is recommended for DSA keys, as fewer amount of bits is +consider insecure or to be insecure pretty soon. + +When that is done, you can generate a key using the parameters in +question (actually, several keys can be generated from the same +parameters): + + openssl gendsa -des3 -out privkey.pem dsaparam.pem + +With this variant, you will be prompted for a protecting password. If +you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + + +4. To generate an EC key + +An EC key can be used both for key agreement (ECDH) and signing (ECDSA). + +Generating a key for ECC is similar to generating a DSA key. These are +two-step processes. First, you have to get the EC parameters from which +the key will be generated: + + openssl ecparam -name prime256v1 -out prime256v1.pem + +The prime256v1, or NIST P-256, which stands for 'X9.62/SECG curve over +a 256-bit prime field', is the name of an elliptic curve which generates the +parameters. You can use the following command to list all supported curves: + + openssl ecparam -list_curves + +When that is done, you can generate a key using the created parameters (several +keys can be produced from the same parameters): + + openssl genpkey -des3 -paramfile prime256v1.pem -out private.key + +With this variant, you will be prompted for a password to protect your key. +If you don't want your key to be protected by a password, remove the flag +'-des3' from the command line above. + +You can also directly generate the key in one step: + + openssl ecparam -genkey -name prime256v1 -out private.key + +or + + openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 + + +5. NOTE + +If you intend to use the key together with a server certificate, +it may be reasonable to avoid protecting it with a password, since +otherwise someone would have to type in the password every time the +server needs to access the key. + +For X25519, it's treated as a distinct algorithm but not as one of +the curves listed with 'ecparam -list_curves' option. You can use +the following command to generate an X25519 key: + + openssl genpkey -algorithm X25519 -out xkey.pem -- cgit v1.2.3