[Secure Coding] master: Added instructions for generating ECDSA keys (d335815)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Repository : http://git.fedorahosted.org/git/?p=secure-coding.git

On branch  : master

>---------------------------------------------------------------

commit d3358153498f9611886facb7608fce33c7e22f05
Author: Eric Christensen <echriste@xxxxxxxxxx>
Date:   Fri May 30 09:49:40 2014 -0400

    Added instructions for generating ECDSA keys


>---------------------------------------------------------------

 Securing_TLS/en-US/OpenSSL.xml |   20 ++++++++++++++++++++
 1 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/Securing_TLS/en-US/OpenSSL.xml b/Securing_TLS/en-US/OpenSSL.xml
index df458d9..1c9c403 100644
--- a/Securing_TLS/en-US/OpenSSL.xml
+++ b/Securing_TLS/en-US/OpenSSL.xml
@@ -190,6 +190,26 @@ openssl x509 -req -days 365 -sha384 -in key_name.csr -signkey key_name.key -out
 <emphasis>Optional</emphasis> - This last step isn't generally necessary.  This is what the CA does on their side except they use their key in place of key_name.key to sign your key.  By doing this you are creating a self-signed certificate which is not very useful and should only be used for testing purposes.
 			</para>
 		</section>
+                <section id="sect-Fedora_Security_Team-Securing_TLS-OpenSSL-Generating_Crypto-ECDSA">
+			<title>Generating ECDSA keys</title>
+			<para>ECDSA keys are part of the latest generation of cryptography used in TLS-protected circuits.  ECDSA keys do not have to be as large as an RSA key to provide similar protection.</para>
+			<para>The process for generating an ECDSA key is similar to that of RSA and we'll go over the commands now.
+
+<screen>
+openssl ecparam -genkey -name <emphasis>curve</emphasis> -out key_name.pem
+</screen>
+In this command you must provide the name of the curve to use.  There are many curves to choose from but based on your particular installation of OpenSSL your choices may be limited.  To determine what curves are available you run <command>openssl ecparam -list_curves</command>.
+<screen>
+openssl req -new -key key_name.key -out key_name.csr
+</screen>
+This will generate a certificate signing request (<abbrev>CSR</abbrev>) to provide to your certificate authority (<abbrev>CA</abbrev>) for signing.
+<note><para>It's important to find a CA that will sign your ECDSA key with an ECDSA key to keep the security level high.</para></note>
+<screen>
+openssl req -x509 -newkey ecdsa:ECC_params.pem -keyout server.key -out server.crt -subj /CN=localhost -nodes -batch
+</screen>
+This command will actually generate a self-signed certificate in one swipe.
+			</para>
+		</section>
 	</section>
 </chapter>
 

--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux