Index: head/en_US.ISO8859-1/books/handbook/security/chapter.xml =================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml @@ -1840,6 +1840,11 @@ example of how to create a CA for signing one's own certificates. + For more information about SSL, read the + free OpenSSL + Cookbook. + Generating Certificates @@ -1858,12 +1863,11 @@ verifying the certificate will issue a warning to the user, rendering the verification provided by the certificate as useless. - - &prompt.root; openssl req -new -nodes -out req.pem -keyout cert.pem -Generating a 1024 bit RSA private key -................++++++ -.......................................++++++ -writing new private key to 'cert.pem' + &prompt.root; openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048 +Generating a 2048 bit RSA private key +..................+++ +.............................................................+++ +writing new private key to 'cert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. @@ -1882,7 +1886,7 @@ Please enter the following 'extra' attributes to be sent with your certificate request -A challenge password []:SOME PASSWORD +A challenge password []: An optional company name []:Another Name Other options, such as the expire time and alternate @@ -1896,7 +1900,7 @@ CA who will validate the entered credentials, sign the request, and return the signed certificate. The second file, - cert.pem, is the private key for the + cert.key, is the private key for the certificate and should be stored in a secure location. If this falls in the hands of others, it can be used to impersonate the user or the server. @@ -1905,29 +1909,17 @@ is not required, a self-signed certificate can be created. First, generate the RSA key: - &prompt.root; openssl dsaparam -rand -genkey -out myRSA.key 1024 + &prompt.root; openssl genrsa -rand -genkey -out cert.key 2048 0 semi-random bytes loaded -Generating DSA parameters, 1024 bit long prime -This could take some time -.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* -..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++* - - Next, generate the CA key. When - prompted, enter a passphrase between 4 to 1023 characters. - Remember this passphrase as it is needed whenever the key is - used to sign a certificate. - - &prompt.root; openssl gendsa -des3 -out myca.key myRSA.key -Generating DSA key, 1024 bits -Enter PEM pass phrase: -Verifying - Enter PEM pass phrase: - - Use this key to create a self-signed certificate. When - prompted, enter the passphrase. Then follow the usual prompts - for creating a certificate: +Generating RSA private key, 2048 bit long modulus +.............................................+++ +.................................................................................................................+++ +e is 65537 (0x10001) + + Use this key to create a self-signed certificate. + Follow the usual prompts for creating a certificate: - &prompt.root; openssl req -new -x509 -days 365 -key myca.key -out new.crt -Enter pass phrase for myca.key: + &prompt.root; openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. @@ -1944,11 +1936,11 @@ Email Address []:trhodes@FreeBSD.org This will create two new files in the current directory: a - certificate authority signature file, - myca.key, and the certificate itself, - new.crt. These should be placed in a - directory, preferably under /etc, which - is readable only by cert.key, and the certificate itself, + cert.crt. These should be placed in a + directory, preferably under /etc/ssl/, + which is readable only by root. Permissions of 0700 are appropriate for these files and can be set using chmod.