# HG changeset patch
# User Oleksandr Gavenko <gavenkoa@gmail.com>
# Date 1604819646 -7200
# Node ID 892004bd19bbc773b3c256e3a67cd3b27fa7128a
# Parent  3e1990dc6ac82db06b1d3ba669569049a6bf3d93
PKCS#12 stores.

diff -r 3e1990dc6ac8 -r 892004bd19bb tls.rst
--- a/tls.rst	Sun Nov 08 01:01:04 2020 +0200
+++ b/tls.rst	Sun Nov 08 09:14:06 2020 +0200
@@ -5,6 +5,17 @@
 .. contents::
    :local:
 
+Generate private keys
+=====================
+
+Generate RSA key (last argument is a key bit size)::
+
+  openssl genrsa -des3 -out my.key -passout pass:123456 2048
+
+Generate DSA key::
+
+  openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512)
+
 Generate a self-signed certificate
 ==================================
 
@@ -94,3 +105,30 @@
   curl -v --cacert my.crt https://localhost:8000
 
 There is no certificate chain so the check is trivial for self-signed certificates...
+
+PKCS#12 stores
+==============
+
+PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store::
+
+  openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
+
+To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED
+PRIVATE KEY``)::
+
+  openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
+
+To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN
+DSA PRIVATE KEY``)::
+
+  openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
+
+To show private key info::
+
+  openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa -text -noout
+
+To show certificat info::
+
+  openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
+  openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
+