Date: Sat, 20 Jun 2015 18:03:42 +0000 (UTC) From: Allan Jude <allanjude@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46849 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201506201803.t5KI3gxd080707@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: allanjude Date: Sat Jun 20 18:03:41 2015 New Revision: 46849 URL: https://svnweb.freebsd.org/changeset/doc/46849 Log: Update openssl chapter based on modern certificate requirements All Certificate Authorities now require 2048 bit keys with SHA256 hashes This change brings our documentation inline with that requirement PR: 199379 Submitted by: Roland van Laar <roland@micite.net> (original) Approved by: wblock (mentor) Differential Revision: https://reviews.freebsd.org/D2836 Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Jun 20 13:20:52 2015 (r46848) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Jun 20 18:03:41 2015 (r46849) @@ -1840,6 +1840,11 @@ kadmind5_server_enable="YES"</programlis example of how to create a <acronym>CA</acronym> for signing one's own certificates.</para> + <para>For more information about <acronym>SSL</acronym>, read the + free <link + xlink:href="https://www.feistyduck.com/books/openssl-cookbook/">OpenSSL + Cookbook</link>.</para> + <sect2> <title>Generating Certificates</title> @@ -1858,12 +1863,11 @@ kadmind5_server_enable="YES"</programlis verifying the certificate will issue a warning to the user, rendering the verification provided by the certificate as useless.</para> - - <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput> -Generating a 1024 bit RSA private key -................++++++ -.......................................++++++ -writing new private key to 'cert.pem' + <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048</userinput> +Generating a 2048 bit RSA private key +..................+++ +.............................................................+++ +writing new private key to 'cert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. @@ -1882,7 +1886,7 @@ Email Address []:<userinput><replaceable Please enter the following 'extra' attributes to be sent with your certificate request -A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput> +A challenge password []: An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen> <para>Other options, such as the expire time and alternate @@ -1896,7 +1900,7 @@ An optional company name []:<userinput>< <acronym>CA</acronym> who will validate the entered credentials, sign the request, and return the signed certificate. The second file, - <filename>cert.pem</filename>, is the private key for the + <filename>cert.key</filename>, is the private key for the certificate and should be stored in a secure location. If this falls in the hands of others, it can be used to impersonate the user or the server.</para> @@ -1905,29 +1909,17 @@ An optional company name []:<userinput>< is not required, a self-signed certificate can be created. First, generate the <acronym>RSA</acronym> key:</para> - <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput> + <screen>&prompt.root; <userinput>openssl genrsa -rand -genkey -out cert.key 2048</userinput> 0 semi-random bytes loaded -Generating DSA parameters, 1024 bit long prime -This could take some time -.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* -..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen> - - <para>Next, generate the <acronym>CA</acronym> key. When - prompted, enter a passphrase between 4 to 1023 characters. - Remember this passphrase as it is needed whenever the key is - used to sign a certificate.</para> - - <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput> -Generating DSA key, 1024 bits -Enter PEM pass phrase: -Verifying - Enter PEM pass phrase:</screen> - - <para>Use this key to create a self-signed certificate. When - prompted, enter the passphrase. Then follow the usual prompts - for creating a certificate:</para> +Generating RSA private key, 2048 bit long modulus +.............................................+++ +.................................................................................................................+++ +e is 65537 (0x10001)</screen> + + <para>Use this key to create a self-signed certificate. + Follow the usual prompts for creating a certificate:</para> - <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput> -Enter pass phrase for myca.key: + <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256</userinput> You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. @@ -1944,11 +1936,11 @@ Common Name (e.g. server FQDN or YOUR na Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen> <para>This will create two new files in the current directory: a - certificate authority signature file, - <filename>myca.key</filename>, and the certificate itself, - <filename>new.crt</filename>. These should be placed in a - directory, preferably under <filename>/etc</filename>, which - is readable only by <systemitem + private key file + <filename>cert.key</filename>, and the certificate itself, + <filename>cert.crt</filename>. These should be placed in a + directory, preferably under <filename>/etc/ssl/</filename>, + which is readable only by <systemitem class="username">root</systemitem>. Permissions of <literal>0700</literal> are appropriate for these files and can be set using <command>chmod</command>.</para>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506201803.t5KI3gxd080707>