On Tue, 29 Dec 2009, Dan Carl wrote:
> On 12/29/2009 11:36 AM, Lanny Marcus wrote:
>> I looked on the openssl man page but am too dense with commands to
>> understand what I need to do
... snip
>> openssl commands I need to use, after I ssh into the web site, to
>> generate a 2048 bit key and csr. TIA and Happy New Year!
> This will create one with a passphrase
>
> openssl genrsa -des3 -out mydomain.key 2048
> openssl req -new -key mydomain.key -out mydomain.csr
> Same put without a passpharse
>
> openssl genrsa -out mydomain.key 2048
> openssl req -new -key mydomain.key -out mydomain.csr
My notes indicate that another certificate authority
[startssl] also requires a stronger (sha1) signing algorithm
on CSR's -- ymmv
This is from a personal cheatsheet I wrote:
1. key withOUT a pass phrase
openssl genrsa -out trap.pmman.com-09.key 2048
1a. key WITH a pass phrase
openssl genrsa -des3 -out trap.pmman.com-09.key 2048
2. generate a signing request
openssl req -new -sha1 -key trap.pmman.com-09.key -out \
trap.pmman.com.csr
3. view the signing request
openssl req -noout -text -in trap.pmman.com.csr
4. view the private key
openssl rsa -noout -text -in trap.pmman.com-09.key
(one has to provide the passphrase if so protected)
We add a key year suffix ('-09') on the key to avoid
accidentially overwriting one, but not the CSR, because CSRs
may be safely recreated anytime
Our (prior) convention is to name the CA signed file with a
.pem suffix, but not a year modifier -- as I think about it though,
doing so is harmless, and would avoid an accidential
overwrite here as well.
5. view the CA counter-signed key file contents
openssl x509 -inform PEM -noout -text -ocspid \
-in trap.pmman.com.pem
-- Russ herrold
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
