On 2013/03/06 13:05, Stuart Henderson wrote: > It's not entirely obvious that "-x509" actually means "produce a > csr, self-sign it (defaulting to SHA1), throw away the csr and write > the cert" and this had me stuck for a long time when I wanted to > play with DSA server certs. > > So here's a diff which moves DSA cert generation instructions > to the same style as RSA where the process is to produce a CSR and > tell people how to sign it in separate steps. It doesn't take much > longer and is clearer. > > As a bonus there are instructions for ECDSA cert generation. > > OK?
Tweaks from jmc and fix "..you can generate a self-signed certificate.." in the added text for ECDSA which should have been CSR. Index: ssl.8 =================================================================== RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.53 diff -u -p -r1.53 ssl.8 --- ssl.8 27 Nov 2012 01:02:07 -0000 1.53 +++ ssl.8 6 Mar 2013 15:36:04 -0000 @@ -150,17 +150,63 @@ The following command will generate 1024 # openssl dsaparam 1024 -out dsa1024.pem .Ed .Pp -Once you have the DSA parameters generated, you can generate a certificate -and unencrypted private key using the command: +Once you have the DSA parameters generated, you can generate a +CSR and unencrypted private key using the command: .Bd -literal -offset indent -# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -nodes -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem .Ed .Pp To generate an encrypted private key, you would use: .Bd -literal -offset indent -# openssl req -x509 -newkey dsa:dsa1024.pem \e - -out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem +# openssl req -newkey dsa:dsa1024.pem \e + -out /etc/ssl/dsacert.csr -keyout /etc/ssl/private/dsakey.pem +.Ed +.Pp +This +.Pa server.csr +file can then be given to a CA who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/dsacert.csr \e + -signkey /etc/ssl/private/dsacert.key \e + -out /etc/ssl/dsacert.crt +.Ed +.Sh GENERATING ECDSA SERVER CERTIFICATES +First, generate parameters for ECDSA keys. +The following command will use a NIST/SECG curve over a 384-bit +prime field: +.Bd -literal -offset indent +# openssl ecparam -out ec-secp384r1.pem -name secp384r1 +.Ed +.Pp +Once you have the ECDSA parameters generated, you can generate a +CSR and unencrypted private key using the command: +.Bd -literal -offset indent +# openssl req -nodes -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +To generate an encrypted private key, you would use: +.Bd -literal -offset indent +# openssl req -newkey ec:ec-secp384r1.pem \e + -keyout /etc/ssl/private/eccert.key -new \e + -out /etc/ssl/private/eccert.csr +.Ed +.Pp +This +.Pa eccert.csr +file can then be given to a CA who will sign the key. +.Pp +You can also sign the key yourself, using the command: +.Bd -literal -offset indent +# openssl x509 -sha256 -req -days 365 \e + -in /etc/ssl/private/eccert.csr \e + -signkey /etc/ssl/private/eccert.key \e + -out /etc/ssl/eccert.crt .Ed .Sh USING SSL/TLS WITH SENDMAIL By default,
