From: W. Trevor King Date: Sat, 14 May 2011 15:00:08 +0000 (-0400) Subject: Add X.509 certificate post. X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=26212adf875512a07e92112ac834b50ae241e61c;p=blog.git Add X.509 certificate post. --- diff --git a/posts/X.509_certificates.mdwn b/posts/X.509_certificates.mdwn new file mode 100644 index 0000000..027fff3 --- /dev/null +++ b/posts/X.509_certificates.mdwn @@ -0,0 +1,39 @@ +If you're running your own server, your probably not shelling out $400 +to get an "official" Certificate Authority to sign your key. Here's a +quick not to myself about how to create and sign your own key. + +Use [openssl][]'s [genpkey][] to generate an *unencrypted* public key. + + $ openssl genpkey -algorithm RSA -out key.pem + +An unencrypted key is less secure, but it allows the web server to be +restarted (e.g. after rebooting) without you being there to enter the +decryption key. Make sure `key.pem` is only readable by `root`. + +Use [req][] to generate certificate signing request. + + $ openssl req -new -key key.pem -out req.pem + +`-new` prompts you for new relevant field values. You can also +specify the values on the command line or in an configuration file +(override the default with `-config filename`). + +Use [x509][] to sign the certificate. + + $ openssl x509 -req -days 360 -in req.pem -signkey key.pem -out cert.pem + +You should keep your certificate signing request around so you can +re-sign your key later on (since your initial signature will +eventually expire). + +You can also print certificates with [x509][]. + + $ openssl x509 -in cert.pem -noout -text + +[openssl]: http://www.openssl.org/docs/apps/openssl.html +[genpkey]: http://www.openssl.org/docs/apps/genpkey.html +[req]: http://www.openssl.org/docs/apps/req.html +[x509]: http://www.openssl.org/docs/apps/x509.html + +[[!tag tags/linux]] +[[!tag tags/tools]]