OpenSSL 有关密钥的那些事儿(HOWTO keys)

Posted gccbuaa

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了OpenSSL 有关密钥的那些事儿(HOWTO keys)相关的知识,希望对你有一定的参考价值。

<DRAFT!>
			OpenSSL 有关密钥的那些事儿(HOWTO keys)

1. 介绍(Introduction)

Keys are the basis of public key algorithms and PKI.  Keys usually
come in pairs, with one half being the public key and the other half
being the private key.  With OpenSSL, the private key contains the
public key information as well, so a public key doesn‘t need to be
generated separately.

Public keys come in several flavors, using different cryptographic
algorithms.  The most popular ones associated with certificates are
RSA and DSA, and this HOWTO will show how to generate each of them.


2. 生成 RSA 密钥(To generate a RSA key)

A RSA key can be used both for encryption and for signing.

Generating a key for the RSA algorithm is quite easy, all you have to
do is the following:

  openssl genrsa -des3 -out privkey.pem 2048

With this variant, you will be prompted for a protecting password.  If
you don‘t want your key to be protected by a password, remove the flag
‘-des3‘ from the command line above.

    NOTE: if you intend to use the key together with a server
    certificate, it may be a good thing to avoid protecting it
    with a password, since that would mean someone would have to
    type in the password every time the server needs to access
    the key.

The number 2048 is the size of the key, in bits.  Today, 2048 or
higher is recommended for RSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon.


3. 生成 DSA 密钥(To generate a DSA key)

A DSA key can be used for signing only.  This is important to keep
in mind to know what kind of purposes a certificate request with a
DSA key can really be used for.

Generating a key for the DSA algorithm is a two-step process.  First,
you have to generate parameters from which to generate the key:

  openssl dsaparam -out dsaparam.pem 2048

The number 2048 is the size of the key, in bits.  Today, 2048 or
higher is recommended for DSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon.

When that is done, you can generate a key using the parameters in
question (actually, several keys can be generated from the same
parameters):

  openssl gendsa -des3 -out privkey.pem dsaparam.pem

With this variant, you will be prompted for a protecting password.  If
you don‘t want your key to be protected by a password, remove the flag
‘-des3‘ from the command line above.

    NOTE: if you intend to use the key together with a server
    certificate, it may be a good thing to avoid protecting it
    with a password, since that would mean someone would have to
    type in the password every time the server needs to access
    the key.

-- 
Richard Levitte

以上是关于OpenSSL 有关密钥的那些事儿(HOWTO keys)的主要内容,如果未能解决你的问题,请参考以下文章

有关dubbo面试的那些事儿

PHP有关JWT(Json Web Token)的那些事

PHP有关JWT(Json Web Token)的那些事

Java 进行 RSA 加解密时不得不考虑到的那些事儿

与内存有关的那些事儿(数组分配空间不够,导致缓冲区溢出,从而strcpy会出现异常)

设计那些事儿