Index: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
===================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml
@@ -1840,6 +1840,11 @@
example of how to create a CA for signing
one's own certificates.
+ For more information about SSL, read the
+ free OpenSSL
+ Cookbook.
+
Generating Certificates
@@ -1858,12 +1863,11 @@
verifying the certificate will issue a warning to the user,
rendering the verification provided by the certificate as
useless.
-
- &prompt.root; openssl req -new -nodes -out req.pem -keyout cert.pem
-Generating a 1024 bit RSA private key
-................++++++
-.......................................++++++
-writing new private key to 'cert.pem'
+ &prompt.root; openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048
+Generating a 2048 bit RSA private key
+..................+++
+.............................................................+++
+writing new private key to 'cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
@@ -1882,7 +1886,7 @@
Please enter the following 'extra' attributes
to be sent with your certificate request
-A challenge password []:SOME PASSWORD
+A challenge password []:
An optional company name []:Another NameOther options, such as the expire time and alternate
@@ -1896,7 +1900,7 @@
CA who will validate the entered
credentials, sign the request, and return the signed
certificate. The second file,
- cert.pem, is the private key for the
+ cert.key, is the private key for the
certificate and should be stored in a secure location. If
this falls in the hands of others, it can be used to
impersonate the user or the server.
@@ -1905,29 +1909,17 @@
is not required, a self-signed certificate can be created.
First, generate the RSA key:
- &prompt.root; openssl dsaparam -rand -genkey -out myRSA.key 1024
+ &prompt.root; openssl genrsa -rand -genkey -out cert.key 2048
0 semi-random bytes loaded
-Generating DSA parameters, 1024 bit long prime
-This could take some time
-.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
-..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
-
- Next, generate the CA key. When
- prompted, enter a passphrase between 4 to 1023 characters.
- Remember this passphrase as it is needed whenever the key is
- used to sign a certificate.
-
- &prompt.root; openssl gendsa -des3 -out myca.key myRSA.key
-Generating DSA key, 1024 bits
-Enter PEM pass phrase:
-Verifying - Enter PEM pass phrase:
-
- Use this key to create a self-signed certificate. When
- prompted, enter the passphrase. Then follow the usual prompts
- for creating a certificate:
+Generating RSA private key, 2048 bit long modulus
+.............................................+++
+.................................................................................................................+++
+e is 65537 (0x10001)
+
+ Use this key to create a self-signed certificate.
+ Follow the usual prompts for creating a certificate:
- &prompt.root; openssl req -new -x509 -days 365 -key myca.key -out new.crt
-Enter pass phrase for myca.key:
+ &prompt.root; openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
@@ -1944,11 +1936,11 @@
Email Address []:trhodes@FreeBSD.orgThis will create two new files in the current directory: a
- certificate authority signature file,
- myca.key, and the certificate itself,
- new.crt. These should be placed in a
- directory, preferably under /etc, which
- is readable only by cert.key, and the certificate itself,
+ cert.crt. These should be placed in a
+ directory, preferably under /etc/ssl/,
+ which is readable only by root. Permissions of
0700 are appropriate for these files and
can be set using chmod.