equal
deleted
inserted
replaced
2 ========== |
2 ========== |
3 SSL, TLS |
3 SSL, TLS |
4 ========== |
4 ========== |
5 .. contents:: |
5 .. contents:: |
6 :local: |
6 :local: |
|
7 |
|
8 Generate private keys |
|
9 ===================== |
|
10 |
|
11 Generate RSA key (last argument is a key bit size):: |
|
12 |
|
13 openssl genrsa -des3 -out my.key -passout pass:123456 2048 |
|
14 |
|
15 Generate DSA key:: |
|
16 |
|
17 openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512) |
7 |
18 |
8 Generate a self-signed certificate |
19 Generate a self-signed certificate |
9 ================================== |
20 ================================== |
10 |
21 |
11 ``openssl`` allows to generate self-signed certificate by a single command (``-newkey`` |
22 ``openssl`` allows to generate self-signed certificate by a single command (``-newkey`` |
92 echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt |
103 echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt |
93 |
104 |
94 curl -v --cacert my.crt https://localhost:8000 |
105 curl -v --cacert my.crt https://localhost:8000 |
95 |
106 |
96 There is no certificate chain so the check is trivial for self-signed certificates... |
107 There is no certificate chain so the check is trivial for self-signed certificates... |
|
108 |
|
109 PKCS#12 stores |
|
110 ============== |
|
111 |
|
112 PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store:: |
|
113 |
|
114 openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master |
|
115 |
|
116 To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED |
|
117 PRIVATE KEY``):: |
|
118 |
|
119 openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes |
|
120 |
|
121 To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN |
|
122 DSA PRIVATE KEY``):: |
|
123 |
|
124 openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa |
|
125 |
|
126 To show private key info:: |
|
127 |
|
128 openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa -text -noout |
|
129 |
|
130 To show certificat info:: |
|
131 |
|
132 openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 |
|
133 openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout |
|
134 |