On Tue, 29 Dec 2009, Dan Carl wrote:
On 12/29/2009 11:36 AM, Lanny Marcus wrote:
I looked on the openssl man page but am too dense with commands to understand what I need to do
... snip
openssl commands I need to use, after I ssh into the web site, to generate a 2048 bit key and csr. TIA and Happy New Year!
This will create one with a passphrase
openssl genrsa -des3 -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
Same put without a passpharse
openssl genrsa -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
My notes indicate that another certificate authority [startssl] also requires a stronger (sha1) signing algorithm on CSR's -- ymmv
This is from a personal cheatsheet I wrote:
1. key withOUT a pass phrase
openssl genrsa -out trap.pmman.com-09.key 2048
1a. key WITH a pass phrase
openssl genrsa -des3 -out trap.pmman.com-09.key 2048
2. generate a signing request
openssl req -new -sha1 -key trap.pmman.com-09.key -out \ trap.pmman.com.csr
3. view the signing request
openssl req -noout -text -in trap.pmman.com.csr
4. view the private key
openssl rsa -noout -text -in trap.pmman.com-09.key
(one has to provide the passphrase if so protected)
We add a key year suffix ('-09') on the key to avoid accidentially overwriting one, but not the CSR, because CSRs may be safely recreated anytime
Our (prior) convention is to name the CA signed file with a .pem suffix, but not a year modifier -- as I think about it though, doing so is harmless, and would avoid an accidential overwrite here as well.
5. view the CA counter-signed key file contents
openssl x509 -inform PEM -noout -text -ocspid \ -in trap.pmman.com.pem
-- Russ herrold