Bootstrap FreeKB - OpenSSL - Create private key
OpenSSL - Create private key
Updated:   |  OpenSSL articles

The easist way to install the latest stable version of OpenSSL is to use apt-get or yum.

apt-get install openssl
yum install openssl

 

Private key

A public certificate and it's corresponding private key can be used to encrypt packets being transmitted between hosts. One of the most popular uses of a public certificate and it's corresponding private key is to encrypt the resources being transmitted to clients from a web server, so that HTTPS can be used. The first step is to create the private key. In this example, the private key is placed on the web server. As the name implies, a private key is private, and should never be made public.

 

RSA

The genrsa option is used to create an RSA encrypted private key. In this example, the private key will be named example.com.key and have a 2048-bit algorithm.

openssl genrsa -out example.com.key 2048

 

Including the symmetric cipher (-aes128 in this example) and protecting the private key with a password will create a password protected key.

openssl genrsa -out example.com.key 2048 -aes128 -passout pass:foobar

 

The private key file should begin with the following.

-----BEGIN RSA PRIVATE KEY-----

 

DSA

The dsaparam option is first used to create the DSA parameters file. In this example, the private key will have a 2048-bit algorithm.

openssl dsaparam -out dsaparam.pem 2048

 

View the content of the dsaparam file and ensure BEGIN DSA PARAMETERS is displayed.

cat dsaparam.pem
----------BEGIN DSA PARAMETERS-----

 

The gendsa option is used to create a DSA encrypted private key. In this example, the private key will be named example.com.key.

openssl gendsa -out example.com.key dsaparam.pem

 

Or, the req option with the -newkey and -keyout flags can be used.

openssl req -x509 -newkey dsa:dsaparam.pem -keyout example.com.key

 

ECDSA

The ecparam option with the -genkey flag is used to create the ECDSA private key.

openssl ecparam -genkey -out example.com.key -name prime256v1

 

View the content of the private key file and ensure BEGIN EC PARAMETERS and BEGIN EC PRIVATE KEY are displayed.

cat example.com.key
. . .
----------BEGIN EC PARAMETERS-----
. . .
----------BEGIN EC PRIVATE KEY-----

 

Permissions

Use the chmod command to update the permissions of the private key to be 400, so that only you can read the private key file.

chmod 400 example.com.key

 

A private key doesn't contain user specific data, such as an "alias" or "expiration date", so you wouldn't ever decode out data from a private key.

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 5a3cf2 in the box below so that we can be sure you are a human.