> From: owner-openssl-us...@openssl.org On Behalf Of xiao han > Sent: Monday, 02 March, 2009 15:33
> I have a problem is that I do not know how to generate a private key with certificate. > I can generate a key without certificate by > openssl genrsa -out mykey.pem 1024 > but this will only have the private key without certificate <snip key> (Aside: I assume the line breaks are uniform in your actual mykey.pem file. Whatever method you used to get it into HTML email screwed them up.) Also, storing a privatekey unencrypted is generally a bad idea. (Of course, posting it unencrypted to the Internet is even worse!) Use at least -des3 or -aes128 unless you have a good reason not to. > what I want is the private key as following > I have previously download the files of private key from > http://www.rtfm.com/openssl-examples/ > I will attach the private key in this email <snip copy of client.pem =privkey+cert from cited source> > but this private key is expired so I have to generate it myself > Can anyone be very kind to tell me > how to generate a private key with certificate by openssl command. The key hasn't (necessarily) expired; the cert for it has. And so has its parent CA cert (in root.pem at the same source). (But the key is not at all secure, having been published, and thus should be used only for development/test and the like.) In general the way you get a cert for a keypair is: - generate a Certificate Signing Request aka CSR, which contains the basic information to go into the cert, which is your identity* and the publickey (derived from your privatekey); it is signed by your privatekey, proving you have possession of it - submit the CSR to a Certificate Authority aka CA, which checks that your identity is acceptable (according to some rules) and if so creates a cert, which is signed by the CA's (private)key. It may then return that cert to you to use (e.g. send), and/or publish it by other means (e.g. on a server); either way your cert is later validated using the 'parent' CA cert (for the issuing key), which may be a 'root' cert (self-signed), or in general may 'chain' to a root through additional levels. (* There can be certificates for things other than identities, but they are rarely used and never what people mean when we talk about certificates in an Internet and SSL/TLS context.) openssl commandline 'req' with -new does the former function, and 'ca' does the cryptographic parts of the latter. As a shortcut, in cases where you don't care about external authentication, 'req' with (also) -x509 can generate a self-signed cert directly in one step. (This is commonly the case for development/test, and sometimes for operations within a business/organization; it is less often true on the public Internet, except among people who don't understand or care about security.) You can generate a CSR or cert for an existing privatekey, or 'req' can itself generate (and save) the new key (see -newkey). 'req' uses a config file, defaulting to your installed openssl.cnf, to specify the identity fields to be prompted for (or just set) -- the standard hierarchy includes country/state/locality/organization/ orgunit/commonname, and extension fields can also be used -- and other attributes of the CSR or the selfsigned cert. You can get a brief help display for any openssl utility by giving it the argument -? e.g. openssl genrsa -? openssl rsa -? openssl req -? openssl x509 -? and on Unix (or sufficiently close, I suspect including cygwin) you can get the full man page by e.g. man [-s1] req; if openssl is not installed in the normal system location(s?) you need to modify your MANPATH environment variable appropriately. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
