Go to /etc/ssl and run
openssl genrsa -des3 -out your.key.org
Number of bits has gone from 1024 minimum in the last few years to 2048 minumum. And 4096 is probably better. 129 bits was once thought unbreakable - remember Squeamish Ossifrage? But RSA-768 was cracked this year. For a really good site on this, see http://www.keylength.com/.
Anyway. It’ll ask for a passphrase – go ahead and pick anything; we’ll remove it in a minute.
After the key has been generated, do this:
openssl rsa -in your.key.org -out your.key
It’ll ask for the passphrase once, and then write out a new key without it. If you do not strip the passphrase, you’ll be required to re-enter that passphrase every time you re-start a program that uses the certs (i.e., every reboot for every system). However, this is insecure – if this key gets compromised, you’ll have to revoke the certificate. That’s why I make all the files in the directory chmod 400.
Then, you’ll use that public key to generate a Certificate Request:
openssl req -new -key your.key -out your.csr
You then submit that csr file to the certificate provider. GoDaddy sends back a zip file with the .crt file inside it.
To make a .pem file, simply use a text editor to put the .key file on top, a blank line, and the .crt on the bottom. So, for instance, stunnel uses the ipop3d.pem fileto allow me to pop in to my mailbox. The file looks like this:
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCwq06LjLFsdfssT53rfgLfEW2tocP1kLXZ7Y8YqHKk8D9/
6XDlThaLEZSuMXBMDmbyvrtUy+lo8ZdCPzrOuJJUiVgupFdKrL9mZ6BYGCaPgf+G
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIE9TCDLKJw39BAgIDQ3RFMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDV
cQywGVrLyCMvV0mDrOm/V+U6r1B1NcyQEA==
-----END CERTIFICATE-----
Posts
No comments:
Post a Comment