On Fri, Jun 15, 2007 17:14:55 PM -0700, Karl R. Balsmeier (karl@klxsystems.net) wrote:
# *openssl genrsa -out /etc/ssl/private/server.key 1024*
# *openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr*
# *openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \ -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt*
Where should the -nodes option go with this approach? Only in the first command?
Now, let's compare this with the one-command solution that Paul provided, please:
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
If I _am_ starting to figure this out, the only differences are that:
- Paul passed all the options on the command line in -subj, Karl assumes they are in openssl.cnf
- Karl places keys and certificate in _separate_ files (as I had originally asked), so he needs 3 commands instead of one: the first creates the key, the second an unsigned certificate in /etc/ssl/private/server.csr, the third signs that certificate with the key and puts the signed version in /etc/ssl/server.crt
Is this explanation correct?
Yes, I'm being verbose and I'm nitpicking, but since we all agreed there is no decent documentation on these basic issues (*), we can say we're writing it now, aren't we?
Thanks again for your time and patience,
Marco
(*) For the record, I asked the same question on the openssl-users list before coming here, but am still waiting for any answer on that front...