From 064574425b38832f94e51fe31a1f6293ad8ac604 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 20 Jun 2008 11:53:05 +0200 Subject: improved TLS doc also changed samples to 2048 bit keys, because 1024 will soon no longer be considered secure. --- doc/tls_cert_ca.html | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) (limited to 'doc/tls_cert_ca.html') diff --git a/doc/tls_cert_ca.html b/doc/tls_cert_ca.html index efe34c85..7427bb03 100644 --- a/doc/tls_cert_ca.html +++ b/doc/tls_cert_ca.html @@ -68,19 +68,21 @@ sign other certificates.

Sample Screen Session

+

Text in red is user input. Please note that for some questions, there is no +user input given. This means the default was accepted by simply pressing the +enter key. 

-[root@rgf9dev sample]# certtool --generate-privkey --outfile ca-key.pem
-Generating a 1024 bit RSA private key...
-[root@rgf9dev sample]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
-[root@rgf9dev sample]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
+[root@rgf9dev sample]# certtool --generate-privkey --outfile ca-key.pem --bits 2048
+Generating a 2048 bit RSA private key...
+[root@rgf9dev sample]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
 Generating a self signed certificate...
 Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
-Country name (2 chars): US
-Organization name: SomeOrg
-Organizational unit name: SomeOU
-Locality name: Somewhere
-State or province name: CA
-Common name: someName (not necessarily DNS!)
+Country name (2 chars): US
+Organization name: SomeOrg
+Organizational unit name: SomeOU
+Locality name: Somewhere
+State or province name: CA
+Common name: someName (not necessarily DNS!)
 UID: 
 This field should not be used in new certificates.
 E-mail: 
@@ -88,16 +90,16 @@ Enter the certificate's serial number (decimal):
 
 
 Activation/Expiration time.
-The certificate will expire in (days): 3650
+The certificate will expire in (days): 3650
 
 
 Extensions.
-Does the certificate belong to an authority? (Y/N): y
+Does the certificate belong to an authority? (Y/N): y
 Path length constraint (decimal, -1 for no constraint): 
 Is this a TLS web client certificate? (Y/N): 
 Is this also a TLS web server certificate? (Y/N): 
-Enter the e-mail of the subject of the certificate: someone@example.net
-Will the certificate be used to sign other certificates? (Y/N): y
+Enter the e-mail of the subject of the certificate: someone@example.net
+Will the certificate be used to sign other certificates? (Y/N): y
 Will the certificate be used to sign CRLs? (Y/N): 
 Will the certificate be used to sign code? (Y/N): 
 Will the certificate be used to sign OCSP requests? (Y/N): 
@@ -111,7 +113,7 @@ X.509 Certificate Information:
 		Not After: Sun Jun 17 10:35:25 UTC 2018
 	Subject: C=US,O=SomeOrg,OU=SomeOU,L=Somewhere,ST=CA,CN=someName (not necessarily DNS!)
 	Subject Public Key Algorithm: RSA
-		Modulus (bits 1024):
+		Modulus (bits 2048):
 			d9:9c:82:46:24:7f:34:8f:60:cf:05:77:71:82:61:66
 			05:13:28:06:7a:70:41:bf:32:85:12:5c:25:a7:1a:5a
 			28:11:02:1a:78:c1:da:34:ee:b4:7e:12:9b:81:24:70
@@ -135,12 +137,12 @@ Other Information:
 	Public Key Id:
 		fbfe968d10a73ae5b70d7b434886c8f872997b89
 
-Is the above information ok? (Y/N): y
+Is the above information ok? (Y/N): y
 
 
 Signing certificate...
-[root@rgf9dev sample]# chmod 400 ca-key.pem
-[root@rgf9dev sample]# ls -l
+[root@rgf9dev sample]# chmod 400 ca-key.pem
+[root@rgf9dev sample]# ls -l
 total 8
 -r-------- 1 root root  887 2008-06-19 12:33 ca-key.pem
 -rw-r--r-- 1 root root 1029 2008-06-19 12:36 ca.pem
-- 
cgit v1.2.3