Mercurial Mercurial > tips / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tls.rst
changeset 2451 892004bd19bb
parent 2450 3e1990dc6ac8
child 2453 5bb8692c080a
equal deleted inserted replaced
2450:3e1990dc6ac8 2451:892004bd19bb 
     2 ==========
 
     2 ==========
 
     3  SSL, TLS
 
     3  SSL, TLS
 
     4 ==========
 
     4 ==========
 
     5 .. contents::
 
     5 .. contents::
 
     6    :local:
 
     6    :local:
 
       
     7 
       
     8 Generate private keys
 
       
     9 =====================
 
       
    10 
       
    11 Generate RSA key (last argument is a key bit size)::
 
       
    12 
       
    13   openssl genrsa -des3 -out my.key -passout pass:123456 2048
 
       
    14 
       
    15 Generate DSA key::
 
       
    16 
       
    17   openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512)
 
     7 
    18 
     8 Generate a self-signed certificate
 
    19 Generate a self-signed certificate
 
     9 ==================================
 
    20 ==================================
 
    10 
    21 
    11 ``openssl`` allows to generate self-signed certificate by a single command (``-newkey``
 
    22 ``openssl`` allows to generate self-signed certificate by a single command (``-newkey``
 
    92   echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt
 
   103   echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt
 
    93 
   104 
    94   curl -v --cacert my.crt https://localhost:8000
 
   105   curl -v --cacert my.crt https://localhost:8000
 
    95 
   106 
    96 There is no certificate chain so the check is trivial for self-signed certificates...
 
   107 There is no certificate chain so the check is trivial for self-signed certificates...
 
       
   108 
       
   109 PKCS#12 stores
 
       
   110 ==============
 
       
   111 
       
   112 PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store::
 
       
   113 
       
   114   openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
 
       
   115 
       
   116 To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED
 
       
   117 PRIVATE KEY``)::
 
       
   118 
       
   119   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
 
       
   120 
       
   121 To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN
 
       
   122 DSA PRIVATE KEY``)::
 
       
   123 
       
   124   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
 
       
   125 
       
   126 To show private key info::
 
       
   127 
       
   128   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa -text -noout
 
       
   129 
       
   130 To show certificat info::
 
       
   131 
       
   132   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
 
       
   133   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
 
       
   134
tips