Well that’s a good question. For my purposes, this is what I need to know:
So. Let’s get started, eh?
Ok, here you’re going to create your key - and treat is as such. This should be kept private, and not shared with anyone.
Now, you have a couple of options here - the first is to create your private key with a password, the other is to make it without one. If you create it with a password, you have to type it in every time your start any server that uses it.
Important: If you create your private key with a password, you can remove it later. I recommend creating your private key with a password, and then removing it temporarily every time you need to use it. When you’re done with the key without a password, delete it so it isn’t a security risk.
openssl genrsa -des3 -out domain.tld.encrypted.key 1024
openssl genrsa -out domain.tld.key 1024
If you created your private key with a password, you’ll want to complete the rest of the steps using a decrypted private key - else you’ll have to type in your password every time you use the certificate (ie: every time you start a daemon using that certificate.)
openssl rsa -in domain.tld.encrypted.key -out domain.tld.key
On this step you’re going to create what you actually send to your Certificate Authority. If you set a password with your Private Key, you’ll be required to enter it to create the CSR. After you finish all these steps, you can delete your CSR.
openssl req -new -key domain.tld.key -out domain.tld.csr
You have three options here: 1. Self-signing 2. Creating a certificate authority (CA) 3. Paying a CA to create your certificate for you.
Here’s what’s up: Self-signing is easy, free, and quick. Creating a CA isn’t terribly difficult, but probably more than you want to handle for something small. Paying for a CA can be cheap ($20), easy, quick, and comes with browser-recognition, which is generally important for public websites; especially commercial ones.
My advice: Self-sign your certificates for personal things, and pay for a certificate if its public and important.
If you’d like to pay for someone to sign your certificates, do some research and find which one you want to use. Next, find their instructions for submitting your CSR file.
openssl x509 -req -days 365 -in domain.tld.csr -signkey domain.tld.key -out domain.tld.crt
If you do happen to want to setup your own certificate authority, check these resources out:
A PEM file is used by many different daemons, however how to generate such a PEM file can be hard to come by. There are some complicated ways to build one, however I have had pretty good success with simply combining the .key and the .crt file together:
cat domain.tld.key domain.tld.crt > domain.tld.pem
I am not an expert with SSL, which is exactly why I created this. This may not be accurate, YMMV, etc. Be careful. Also: Your .key is private. Keep that safe, with appropriate permissions. Make sure nobody else can access it, and do not give it away to anyone. If you have any insight, feel free to comment - I would appreciate them.
原帖地址:http://grahamc.com/blog/openssl-madness-how-to-create-keys-certificate-signing-requests-authorities-and-pem-files