Re: ESMTP: keys and passwords

Mon, 22 Oct 2012 12:54:30 -0700 


Am 22.10.2012 21:45, schrieb thorso...@lavabit.com:
> Hello,
> The above generated a 1024 bit RSA private key. How to create a 4096 bit key?

the following is for 2048 bit
replace 2048 by whatever you want

alter the template for your needs (partly german)
this is a script/remplate i am using since xears for any http/mail-cert
regardless if it is used as self signed o the csr submitted to thawte

[root@buildserver:/buildserver/ssl-cert]$ cat generate-cert.sh
#!/bin/bash
WORKING_DIR="/buildserver/ssl-cert"
OUT_DIR="$WORKING_DIR/$1"
mkdir $OUT_DIR 2> /dev/null
chmod 700 $OUT_DIR
if [ "$1" == "" ]; then
 echo "MISSING SERVERNAME"
 echo ""
 exit
fi
rm -f $OUT_DIR/$1.key
rm -f $OUT_DIR/$1.csr
rm -f $OUT_DIR/$1.crt
rm -f $OUT_DIR/$1.pem
sed "s/my_common_name/$1/g" $WORKING_DIR/openssl.conf.template > 
$WORKING_DIR/openssl.conf
openssl genrsa -out $OUT_DIR/$1.key 2048
openssl req -config $WORKING_DIR/openssl.conf -new -key $OUT_DIR/$1.key -out 
$OUT_DIR/$1.csr
openssl x509 -req -days 3650 -in $OUT_DIR/$1.csr -signkey $OUT_DIR/$1.key -out 
$OUT_DIR/$1.crt
cat $OUT_DIR/$1.crt $OUT_DIR/$1.key > $OUT_DIR/$1.pem


[root@buildserver:/buildserver/ssl-cert]$ cat openssl.conf.template
[ req ]
prompt                          = yes
default_bits                    = 1024
distinguished_name              = req_DN
string_mask                     = nombstr
[ req_DN ]
countryName                     = "1. Landeskennung  "
countryName_default             = "AT"
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = "2. Bundesland  "
stateOrProvinceName_default     = "your_province"
localityName                    = "3. Stadt  "
localityName_default            = "your_city"
0.organizationName              = "4. Firmenname  "
0.organizationName_default      = "your_comapny"
organizationalUnitName          = "5. Abteilung  "
organizationalUnitName_default  = "your_department"
commonName                      = "6. Server-Name  "
commonName_max                  = 64
commonName_default              = "my_common_name"
emailAddress                    = "7. Mail-Adresse  "
emailAddress_max                = 40
emailAddress_default            = "your_email"

> Docs say that I'll be prompted for a password. Which one should I use?
> Should I specify the one for the RSA private key ($ openssl req \
> -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem \
> -days 730)?

you do NOt really want a pssword
how sould it be entered in the boot-process?
waht sense would it make if it is stored in cleartext on the server?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to