FreeKB - Create private key using OpenSSL on Linux
Create private key using OpenSSL on Linux

The easist way to install the latest stable version of OpenSSL is to use apt-get or yum.

apt-get install openssl
yum install openssl

 


Private key

A public certificate and it's corresponding private key can be used to encrypt packets being transmitted between hosts. One of the most popular uses of a public certificate and it's corresponding private key is to encrypt the resources being transmitted to clients from a web server, so that HTTPS can be used. The first step is to create the private key. In this example, the private key is placed on the web server. As the name implies, a private key is private, and should never be made public.

 


RSA

The genrsa option is used to create an RSA encrypted private key. In this example, the private key will be named example.com.key and have a 2048-bit algorithm.

openssl genrsa -out example.com.key 2048

 

Including the symmetric cipher (-aes128 in this example) and protecting the private key with a password will create a password protected key.

openssl genrsa -out example.com.key 2048 -aes128 -passout pass:foobar

 

The private key file should begin with the following.

-----BEGIN RSA PRIVATE KEY-----

 


DSA

The dsaparam option is first used to create the DSA parameters file. In this example, the private key will have a 2048-bit algorithm.

openssl dsaparam -out dsaparam.pem 2048

 

View the content of the dsaparam file and ensure BEGIN DSA PARAMETERS is displayed.

cat dsaparam.pem
----------BEGIN DSA PARAMETERS-----

 

The gendsa option is used to create a DSA encrypted private key. In this example, the private key will be named example.com.key.

openssl gendsa -out example.com.key dsaparam.pem

 

Or, the req option with the -newkey and -keyout flags can be used.

openssl req -x509 -newkey dsa:dsaparam.pem -keyout example.com.key

 


ECDSA

The ecparam option with the -genkey flag is used to create the ECDSA private key.

openssl ecparam -genkey -out example.com.key -name prime256v1

 

View the content of the private key file and ensure BEGIN EC PARAMETERS and BEGIN EC PRIVATE KEY are displayed.

cat example.com.key
. . .
----------BEGIN EC PARAMETERS-----
. . .
----------BEGIN EC PRIVATE KEY-----

 


Permissions

Use the chmod command to update the permissions of the private key to be 400, so that only you can read the private key file.

chmod 400 example.com.key

 

A private key doesn't contain user specific data, such as an "alias" or "expiration date", so you wouldn't ever decode out data from a private key.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 106fa in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |