> From: owner-openssl-us...@openssl.org On Behalf Of Matthias Apitz > Sent: Sunday, 22 July, 2012 02:54
> I'm trying to build openssl keys to be used in a client/server connection > and neeed some step by step guide for this, as I'm doing it for the > first time. > 1) openssl req -out ca.pem -new -x509 > > -generates CA file "ca.pem" and CA key "privkey.pem" > > Generate server certificate/key pair - no password required. > > 2) openssl genrsa -out server.key 1024 > 3) openssl req -key server.key -new -out server.req > 4) openssl x509 -req -in server.req -CA ca.pem -CAkey > privkey.pem -CAserial file.srl -out server.pem > > (contents of "file.srl" is a two digit number. eg. "00") > Strictly, any practical multiple of two hex digits, aka hexits. Zeros are valid digits in any (sane) radix. > Generate client certificate/key pair > > 5) Either choose to encrypt the key(a) or not(b) > a. Encrypt the client key with a passphrase > openssl genrsa -des3 -out client.key 1024 > b. Don't encrypt the client key (I used this) > openssl genrsa -out client.key 1024 > 6) openssl req -key client.key -new -out client.req > 7) openssl x509 -req -in client.req -CA ca.pem -CAkey > privkey.pem -CAserial file.srl -out client.pem > Client key&cert are only needed if you want to use client authentication for your connection(s). This is optional in the protocol; some applications use it but most don't. Some applications that use it only use it sometimes. Technically the protocol can also omit server authentication, but in practice server-auth is used 99.9% of the time and client-auth maybe 1% of the time. Your commands above mostly use suffixes to identify file contents (.key .req .srl) except for certs where you use the generic .pem. It might be clearer to use .cer or .crt for the certs. > Then I copy over the files client.pem and server.pem to the example > software (openssl-examples-20020110): > > $ cp server.pem client.pem openssl-examples-20020110 > $ cd openssl-examples-20020110 > I didn't look at that app to see it uses client-auth. In general a server needs server key and cert but not *any* per-client file(s). *If* client-auth is used, the server needs the *CA* cert which (or whose key) signed the client cert(s); you used one CA for both server and client, so that's the CA the server would need. Conversely, a client needs client key and cert if client-auth, and (server's) CA cert almost always. > but the server can't understand the file server.pem: > > $ ./wserver > Can't read key file <snip: ANY PRIVATE KEY not found in file> This app apparently wants key in server.pem, and probably cert also since that generic name makes most sense for both. Some do that; some use two files; some offer both options. OpenSSL PEM_read routines skip 'other' data to support this. You currently have only the cert in server.pem. Take your server.key and your current server.pem (or if renamed as above, server.cer) and concatenate them and use that as the server.pem for this app. Or look to see if the app has commandline options (or env-vars or other things). Assuming the related client app was written in the same style, probably it similarly wants client key&cert in one file if client-auth is used. Almost certainly it will want CA cert in a separate file, and it *might* want it in directory using OpenSSL's "hashlinks" scheme, although for an example program I wouldn't usually bother with that. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
