openssl/doc/HOWTO/certificates.txt

<DRAFT!>
			HOWTO certificates

1. Introduction

How you handle certificates depends a great deal on what your role is.
Your role can be one or several of:

  - User of some client application
  - User of some server application
  - Certificate authority

This file is for users who wish to get a certificate of their own.
Certificate authorities should read https://docs.openssl.org/master/man1/openssl-ca.

In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used.  You may find it in /etc/,
/usr/local/ssl/ or somewhere else.  By default the file is named
openssl.cnf and is described at https://docs.openssl.org/master/man5/config.
You can specify a different configuration file using the
'-config {file}' argument with the commands shown below.


2. Relationship with keys

Certificates are related to public key cryptography by containing a
public key.  To be useful, there must be a corresponding private key
somewhere.  With OpenSSL, public keys are easily derived from private
keys, so before you create a certificate or a certificate request, you
need to create a private key.

Private keys are generated with 'openssl genrsa -out privkey.pem' if
you want an RSA private key, or if you want a DSA private key:
'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'.

The private keys created by these commands are not passphrase protected;
it might or might not be the desirable thing.  Further information on how to
create private keys can be found at https://github.com/openssl/openssl/blob/master/doc/HOWTO/keys.txt.
The rest of this text assumes you have a private key in the file privkey.pem.


3. Creating a certificate request

To create a certificate, you need to start with a certificate request
(or, as some certificate authorities like to put it, "certificate
signing request", since that's exactly what they do, they sign it and
give you the result back, thus making it authentic according to their
policies).  A certificate request is sent to a certificate authority
to get it signed into a certificate. You can also sign the certificate
yourself if you have your own certificate authority or create a
self-signed certificate (typically for testing purposes).

The certificate request is created like this:

  openssl req -new -key privkey.pem -out cert.csr

Now, cert.csr can be sent to the certificate authority, if they can
handle files in PEM format.  If not, use the extra argument '-outform'
followed by the keyword for the format to use (see another HOWTO
<formats.txt?>).  In some cases, -outform does not let you output the
certificate request in the right format and you will have to use one
of the various other commands that are exposed by openssl (or get
creative and use a combination of tools).

The certificate authority performs various checks (according to their
policies) and usually waits for payment from you. Once that is
complete, they send you your new certificate.

Section 5 will tell you more on how to handle the certificate you
received.


4. Creating a self-signed test certificate

You can create a self-signed certificate if you don't want to deal
with a certificate authority, or if you just want to create a test
certificate for yourself.  This is similar to creating a certificate
request, but creates a certificate instead of a certificate request.
This is NOT the recommended way to create a CA certificate, see
https://docs.openssl.org/master/man1/openssl-ca.

  openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095


5. What to do with the certificate

If you created everything yourself, or if the certificate authority
was kind enough, your certificate is a raw DER thing in PEM format.
Your key most definitely is if you have followed the examples above.
However, some (most?) certificate authorities will encode them with
things like PKCS7 or PKCS12, or something else.  Depending on your
applications, this may be perfectly OK.  It all depends on what they
know how to decode.  If not, there are a number of OpenSSL tools to
convert between some (most?) formats.

So, depending on your application, you may have to convert your
certificate and your key to various formats, most often also putting
them together into one file.  The ways to do this is described in
another HOWTO <formats.txt?>, I will just mention the simplest case.
In the case of a raw DER thing in PEM format, and assuming that's all
right for your applications, simply concatenating the certificate and
the key into a new file and using that one should be enough.  With
some applications, you don't even have to do that.


By now, you have your certificate and your private key and can start
using applications that depend on it.

--
Richard Levitte
Make all configuration macros available for application by making sure they are available in opensslconf.h, by giving them names starting with "OPENSSL_" to avoid conflicts with other packages and by making sure e_os2.h will cover all platform-specific cases together with opensslconf.h. I've checked fairly well that nothing breaks with this (apart from external software that will adapt if they have used something like NO_KRB5), but I can't guarantee it completely, so a review of this change would be a good thing. 2001-02-20 00:06:34 +08:00			`<DRAFT!>`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00			`HOWTO certificates`

Extend the HOWTO on creating certificates, and add a HOWTO in creating keys. PR: 422 2003-01-14 23:42:16 +08:00			`1. Introduction`

Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`How you handle certificates depends a great deal on what your role is.`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00			`Your role can be one or several of:`

Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`- User of some client application`
			`- User of some server application`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00			`- Certificate authority`

			`This file is for users who wish to get a certificate of their own.`
Point to new docs location Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27331) 2025-04-10 13:04:41 +08:00			`Certificate authorities should read https://docs.openssl.org/master/man1/openssl-ca.`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00
			`In all the cases shown below, the standard configuration file, as`
			`compiled into openssl, will be used. You may find it in /etc/,`
Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`/usr/local/ssl/ or somewhere else. By default the file is named`
Point to new docs location Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27331) 2025-04-10 13:04:41 +08:00			`openssl.cnf and is described at https://docs.openssl.org/master/man5/config.`
Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`You can specify a different configuration file using the`
			`'-config {file}' argument with the commands shown below.`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00

Extend the HOWTO on creating certificates, and add a HOWTO in creating keys. PR: 422 2003-01-14 23:42:16 +08:00			`2. Relationship with keys`

Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00			`Certificates are related to public key cryptography by containing a`
			`public key. To be useful, there must be a corresponding private key`
			`somewhere. With OpenSSL, public keys are easily derived from private`
			`keys, so before you create a certificate or a certificate request, you`
			`need to create a private key.`

Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`Private keys are generated with 'openssl genrsa -out privkey.pem' if`
Replace "a RSA" with "an RSA" Fixes openssl#19771 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19787) 2022-11-30 12:59:39 +08:00			`you want an RSA private key, or if you want a DSA private key:`
Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'.`

			`The private keys created by these commands are not passphrase protected;`
			`it might or might not be the desirable thing. Further information on how to`
Point to new docs location Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27331) 2025-04-10 13:04:41 +08:00			`create private keys can be found at https://github.com/openssl/openssl/blob/master/doc/HOWTO/keys.txt.`
Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`The rest of this text assumes you have a private key in the file privkey.pem.`
Extend the HOWTO on creating certificates, and add a HOWTO in creating keys. PR: 422 2003-01-14 23:42:16 +08:00

			`3. Creating a certificate request`

Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`To create a certificate, you need to start with a certificate request`
			`(or, as some certificate authorities like to put it, "certificate`
			`signing request", since that's exactly what they do, they sign it and`
			`give you the result back, thus making it authentic according to their`
			`policies). A certificate request is sent to a certificate authority`
			`to get it signed into a certificate. You can also sign the certificate`
			`yourself if you have your own certificate authority or create a`
Fix grammar in certificates.txt CLA: trivial Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24238) 2024-04-22 15:38:35 +08:00			`self-signed certificate (typically for testing purposes).`
Extend the HOWTO on creating certificates, and add a HOWTO in creating keys. PR: 422 2003-01-14 23:42:16 +08:00
Typo correction 2003-04-04 05:55:55 +08:00			`The certificate request is created like this:`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00
			`openssl req -new -key privkey.pem -out cert.csr`

			`Now, cert.csr can be sent to the certificate authority, if they can`
			`handle files in PEM format. If not, use the extra argument '-outform'`
			`followed by the keyword for the format to use (see another HOWTO`
Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`<formats.txt?>). In some cases, -outform does not let you output the`
			`certificate request in the right format and you will have to use one`
			`of the various other commands that are exposed by openssl (or get`
			`creative and use a combination of tools).`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00
Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`The certificate authority performs various checks (according to their`
			`policies) and usually waits for payment from you. Once that is`
			`complete, they send you your new certificate.`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00
Extend the HOWTO on creating certificates, and add a HOWTO in creating keys. PR: 422 2003-01-14 23:42:16 +08:00			`Section 5 will tell you more on how to handle the certificate you`
			`received.`


Implement self-signing in 'openssl ca'. This makes it easier to have the CA certificate part of the CA database, and combined with 'unique_subject=no', it should make operations like CA certificate roll-over easier. 2003-04-04 06:33:59 +08:00			`4. Creating a self-signed test certificate`
Extend the HOWTO on creating certificates, and add a HOWTO in creating keys. PR: 422 2003-01-14 23:42:16 +08:00
Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`You can create a self-signed certificate if you don't want to deal`
			`with a certificate authority, or if you just want to create a test`
			`certificate for yourself. This is similar to creating a certificate`
			`request, but creates a certificate instead of a certificate request.`
			`This is NOT the recommended way to create a CA certificate, see`
Point to new docs location Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27331) 2025-04-10 13:04:41 +08:00			`https://docs.openssl.org/master/man1/openssl-ca.`
Extend the HOWTO on creating certificates, and add a HOWTO in creating keys. PR: 422 2003-01-14 23:42:16 +08:00
It's recommended to use req rather than x509 to create self-signed certificates 2003-04-04 06:12:48 +08:00			`openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00

Extend the HOWTO on creating certificates, and add a HOWTO in creating keys. PR: 422 2003-01-14 23:42:16 +08:00			`5. What to do with the certificate`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00
			`If you created everything yourself, or if the certificate authority`
			`was kind enough, your certificate is a raw DER thing in PEM format.`
			`Your key most definitely is if you have followed the examples above.`
			`However, some (most?) certificate authorities will encode them with`
			`things like PKCS7 or PKCS12, or something else. Depending on your`
Fix some small typos Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25073) 2024-08-02 21:54:13 +08:00			`applications, this may be perfectly OK. It all depends on what they`
Various doc fixes. Fix typo in NOTES.WIN: this -> these Fix wrong capital letter in certificates.txt Make number of characters in each line more even Remove redundant empty line Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3986) 2017-07-22 04:13:13 +08:00			`know how to decode. If not, there are a number of OpenSSL tools to`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00			`convert between some (most?) formats.`

			`So, depending on your application, you may have to convert your`
			`certificate and your key to various formats, most often also putting`
			`them together into one file. The ways to do this is described in`
Make all configuration macros available for application by making sure they are available in opensslconf.h, by giving them names starting with "OPENSSL_" to avoid conflicts with other packages and by making sure e_os2.h will cover all platform-specific cases together with opensslconf.h. I've checked fairly well that nothing breaks with this (apart from external software that will adapt if they have used something like NO_KRB5), but I can't guarantee it completely, so a review of this change would be a good thing. 2001-02-20 00:06:34 +08:00			`another HOWTO <formats.txt?>, I will just mention the simplest case.`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00			`In the case of a raw DER thing in PEM format, and assuming that's all`
Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`right for your applications, simply concatenating the certificate and`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00			`the key into a new file and using that one should be enough. With`
			`some applications, you don't even have to do that.`


Improves certificates HOWTO * adds links to various related documents. * fixes a few typos. * rewords a few sentences. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2014-12-01 11:21:31 +08:00			`By now, you have your certificate and your private key and can start`
			`using applications that depend on it.`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00
Remove unnecessary trailing whitespace Trim trailing whitespace. It doesn't match OpenSSL coding standards, AFAICT, and it can cause problems with git tooling. Trailing whitespace remains in test data and external source. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8092) 2019-02-01 01:55:30 +08:00			`--`
Write a first HOWTO on how to create certificates. This is currently a draft. 2000-12-02 01:44:33 +08:00			`Richard Levitte`