From owner-svn-doc-all@FreeBSD.ORG Sat Jun 20 18:03:42 2015 Return-Path: Delivered-To: svn-doc-all@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5908E7F8; Sat, 20 Jun 2015 18:03:42 +0000 (UTC) (envelope-from allanjude@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 45EF1332; Sat, 20 Jun 2015 18:03:42 +0000 (UTC) (envelope-from allanjude@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t5KI3g0I080708; Sat, 20 Jun 2015 18:03:42 GMT (envelope-from allanjude@FreeBSD.org) Received: (from allanjude@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t5KI3gxd080707; Sat, 20 Jun 2015 18:03:42 GMT (envelope-from allanjude@FreeBSD.org) Message-Id: <201506201803.t5KI3gxd080707@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: allanjude set sender to allanjude@FreeBSD.org using -f From: Allan Jude Date: Sat, 20 Jun 2015 18:03:42 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46849 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jun 2015 18:03:42 -0000 Author: allanjude Date: Sat Jun 20 18:03:41 2015 New Revision: 46849 URL: https://svnweb.freebsd.org/changeset/doc/46849 Log: Update openssl chapter based on modern certificate requirements All Certificate Authorities now require 2048 bit keys with SHA256 hashes This change brings our documentation inline with that requirement PR: 199379 Submitted by: Roland van Laar (original) Approved by: wblock (mentor) Differential Revision: https://reviews.freebsd.org/D2836 Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Jun 20 13:20:52 2015 (r46848) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Jun 20 18:03:41 2015 (r46849) @@ -1840,6 +1840,11 @@ kadmind5_server_enable="YES"CA for signing one's own certificates. + For more information about SSL, read the + free OpenSSL + Cookbook. + Generating Certificates @@ -1858,12 +1863,11 @@ kadmind5_server_enable="YES" - - &prompt.root; openssl req -new -nodes -out req.pem -keyout cert.pem -Generating a 1024 bit RSA private key -................++++++ -.......................................++++++ -writing new private key to 'cert.pem' + &prompt.root; openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048 +Generating a 2048 bit RSA private key +..................+++ +.............................................................+++ +writing new private key to 'cert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. @@ -1882,7 +1886,7 @@ Email Address []:SOME PASSWORD +A challenge password []: An optional company name []:Another Name Other options, such as the expire time and alternate @@ -1896,7 +1900,7 @@ An optional company name []:< CA who will validate the entered credentials, sign the request, and return the signed certificate. The second file, - cert.pem, is the private key for the + cert.key, is the private key for the certificate and should be stored in a secure location. If this falls in the hands of others, it can be used to impersonate the user or the server. @@ -1905,29 +1909,17 @@ An optional company name []:< is not required, a self-signed certificate can be created. First, generate the RSA key: - &prompt.root; openssl dsaparam -rand -genkey -out myRSA.key 1024 + &prompt.root; openssl genrsa -rand -genkey -out cert.key 2048 0 semi-random bytes loaded -Generating DSA parameters, 1024 bit long prime -This could take some time -.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* -..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++* - - Next, generate the CA key. When - prompted, enter a passphrase between 4 to 1023 characters. - Remember this passphrase as it is needed whenever the key is - used to sign a certificate. - - &prompt.root; openssl gendsa -des3 -out myca.key myRSA.key -Generating DSA key, 1024 bits -Enter PEM pass phrase: -Verifying - Enter PEM pass phrase: - - Use this key to create a self-signed certificate. When - prompted, enter the passphrase. Then follow the usual prompts - for creating a certificate: +Generating RSA private key, 2048 bit long modulus +.............................................+++ +.................................................................................................................+++ +e is 65537 (0x10001) + + Use this key to create a self-signed certificate. + Follow the usual prompts for creating a certificate: - &prompt.root; openssl req -new -x509 -days 365 -key myca.key -out new.crt -Enter pass phrase for myca.key: + &prompt.root; openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. @@ -1944,11 +1936,11 @@ Common Name (e.g. server FQDN or YOUR na Email Address []:trhodes@FreeBSD.org This will create two new files in the current directory: a - certificate authority signature file, - myca.key, and the certificate itself, - new.crt. These should be placed in a - directory, preferably under /etc, which - is readable only by cert.key, and the certificate itself, + cert.crt. These should be placed in a + directory, preferably under /etc/ssl/, + which is readable only by root. Permissions of 0700 are appropriate for these files and can be set using chmod.