Chapter 3. Creating keys and certificates

Most Unix-based programs that use TLS, and some Windows ones, use the OpenSSL package for cryptographic support (http://www.openssl.org/). OpenSSL provides command line programs that manipulate keys and certificates, and a cryptographic library used by these utilities and by programs such as Apache. OpenSSL is a development of an earlier package called SSLeay and this older name still appears occasionally.

Red Hat Linux, Fedora and SuSE Linux include OpenSSL as a package (normally in the openssl RPM). Debian provides pre-built packages that you can install for this functionality. Other Linux and Unix installations may be similar. OpenSSL can be built from source, which is available from http://www.openssl.org/source/.

OpenSSL can be built for Windows, but requires development tools that are not normally available by default. Binary copies of OpenSSL for Windows can sometimes be found with a web search - at present copies appear to be available from http://hunter.campbus.com/. Beware that having multiple copies of the OpenSSL .dll files on the same Windows server can lead to problems that are difficult to isolate.

Most command-line interactions with OpenSSL use the openssl command, which itself accepts a sub-command and a range of command-line arguments. These sub-commands and arguments can be confusing and there are often many different ways to achieve the same thing. On Unix systems the manual entry for openssl (man openssl) and for the individual sub-commands can be helpful. The examples below are taken from a Unix system - appropriate changes will be needed under Windows.

$ openssl genrsa -des3 -out WWW.key 2048 
Generating RSA private key, 2048 bit long modulus
...................+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for WWW.key: password
Verifying - Enter pass phrase for WWW.key: password