svn commit: r46849 - head/en_US.ISO8859-1/books/handbook/security
Allan Jude
allanjude at FreeBSD.org
Sat Jun 20 18:03:42 UTC 2015
Author: allanjude
Date: Sat Jun 20 18:03:41 2015
New Revision: 46849
URL: https://svnweb.freebsd.org/changeset/doc/46849
Log:
Update openssl chapter based on modern certificate requirements
All Certificate Authorities now require 2048 bit keys with SHA256 hashes
This change brings our documentation inline with that requirement
PR: 199379
Submitted by: Roland van Laar <roland at micite.net> (original)
Approved by: wblock (mentor)
Differential Revision: https://reviews.freebsd.org/D2836
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Jun 20 13:20:52 2015 (r46848)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Jun 20 18:03:41 2015 (r46849)
@@ -1840,6 +1840,11 @@ kadmind5_server_enable="YES"</programlis
example of how to create a <acronym>CA</acronym> for signing
one's own certificates.</para>
+ <para>For more information about <acronym>SSL</acronym>, read the
+ free <link
+ xlink:href="https://www.feistyduck.com/books/openssl-cookbook/">OpenSSL
+ Cookbook</link>.</para>
+
<sect2>
<title>Generating Certificates</title>
@@ -1858,12 +1863,11 @@ kadmind5_server_enable="YES"</programlis
verifying the certificate will issue a warning to the user,
rendering the verification provided by the certificate as
useless.</para>
-
- <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
-Generating a 1024 bit RSA private key
-................++++++
-.......................................++++++
-writing new private key to 'cert.pem'
+ <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048</userinput>
+Generating a 2048 bit RSA private key
+..................+++
+.............................................................+++
+writing new private key to 'cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
@@ -1882,7 +1886,7 @@ Email Address []:<userinput><replaceable
Please enter the following 'extra' attributes
to be sent with your certificate request
-A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
+A challenge password []:
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
<para>Other options, such as the expire time and alternate
@@ -1896,7 +1900,7 @@ An optional company name []:<userinput><
<acronym>CA</acronym> who will validate the entered
credentials, sign the request, and return the signed
certificate. The second file,
- <filename>cert.pem</filename>, is the private key for the
+ <filename>cert.key</filename>, is the private key for the
certificate and should be stored in a secure location. If
this falls in the hands of others, it can be used to
impersonate the user or the server.</para>
@@ -1905,29 +1909,17 @@ An optional company name []:<userinput><
is not required, a self-signed certificate can be created.
First, generate the <acronym>RSA</acronym> key:</para>
- <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput>
+ <screen>&prompt.root; <userinput>openssl genrsa -rand -genkey -out cert.key 2048</userinput>
0 semi-random bytes loaded
-Generating DSA parameters, 1024 bit long prime
-This could take some time
-.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
-..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen>
-
- <para>Next, generate the <acronym>CA</acronym> key. When
- prompted, enter a passphrase between 4 to 1023 characters.
- Remember this passphrase as it is needed whenever the key is
- used to sign a certificate.</para>
-
- <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput>
-Generating DSA key, 1024 bits
-Enter PEM pass phrase:
-Verifying - Enter PEM pass phrase:</screen>
-
- <para>Use this key to create a self-signed certificate. When
- prompted, enter the passphrase. Then follow the usual prompts
- for creating a certificate:</para>
+Generating RSA private key, 2048 bit long modulus
+.............................................+++
+.................................................................................................................+++
+e is 65537 (0x10001)</screen>
+
+ <para>Use this key to create a self-signed certificate.
+ Follow the usual prompts for creating a certificate:</para>
- <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput>
-Enter pass phrase for myca.key:
+ <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256</userinput>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
@@ -1944,11 +1936,11 @@ Common Name (e.g. server FQDN or YOUR na
Email Address []:<userinput><replaceable>trhodes at FreeBSD.org</replaceable></userinput></screen>
<para>This will create two new files in the current directory: a
- certificate authority signature file,
- <filename>myca.key</filename>, and the certificate itself,
- <filename>new.crt</filename>. These should be placed in a
- directory, preferably under <filename>/etc</filename>, which
- is readable only by <systemitem
+ private key file
+ <filename>cert.key</filename>, and the certificate itself,
+ <filename>cert.crt</filename>. These should be placed in a
+ directory, preferably under <filename>/etc/ssl/</filename>,
+ which is readable only by <systemitem
class="username">root</systemitem>. Permissions of
<literal>0700</literal> are appropriate for these files and
can be set using <command>chmod</command>.</para>
More information about the svn-doc-head
mailing list