Private key generation

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Private key generation

Zico-5
Hi, is it necessary to generate private from "that server" in which I will install SSL certificate? I mean, say, I want to install SSL certificate for my www.mysite.com, now, is it necessary that, I have to generate private key and csr from that "www.mysite.com" server? Or, I can also create private key and CSR from my local machine and then apply for crt file from any authorized CA certificate provider?

--
Best,
Zico
Reply | Threaded
Open this post in threaded view
|

RE: Private key generation

Dave Thompson-5
> From: [hidden email] On Behalf Of Zico
> Sent: Friday, 13 May, 2011 06:10

> Hi, is it necessary to generate private from "that server"
> in which I will install SSL certificate? I mean, say, I want to
> install SSL certificate for my www.mysite.com, now, is it necessary
> that, I have to generate private key and csr from that "www.mysite.com"
> server? Or, I can also create private key and CSR from my local machine
> and then apply for crt file from any authorized CA certificate provider?
       
The latter, as long as you transfer the private key from your machine
to the server along with the certificate from the CA.

You do need to keep *both* machines (keygen and server) secure
and also the transfer process. It's usually a little *simpler*
to generate on the server, so that's what people usually do.
But any process that produces a valid cert C from a CSR for key P,
and puts C and P together on the desired machine, works.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Private key generation

Dave Thompson-5
In reply to this post by Zico-5
> From: [hidden email] On Behalf Of Zico
> Sent: Friday, 13 May, 2011 06:10

> Hi, is it necessary to generate private from "that server"
> in which I will install SSL certificate? I mean, say, I want to
> install SSL certificate for my www.mysite.com, now, is it necessary
> that, I have to generate private key and csr from that "www.mysite.com"
> server? Or, I can also create private key and CSR from my local machine
> and then apply for crt file from any authorized CA certificate provider?
       
The latter, as long as you transfer the private key from your machine
to the server along with the certificate from the CA.

You do need to keep *both* machines (keygen and server) secure
and also the transfer process. It's usually a little *simpler*
to generate on the server, so that's what people usually do.
But any process that produces a valid cert C from a CSR for key P,
and puts C and P together on the desired machine, works.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Private key generation

Zico-5
In reply to this post by Dave Thompson-5


On Sat, May 14, 2011 at 8:06 AM, Dave Thompson <[hidden email]> wrote:

The latter, as long as you transfer the private key from your machine
to the server along with the certificate from the CA.

You do need to keep *both* machines (keygen and server) secure
and also the transfer process. It's usually a little *simpler*
to generate on the server, so that's what people usually do.
But any process that produces a valid cert C from a CSR for key P,
and puts C and P together on the desired machine, works.


All Right! Thanks a lot! I have another confusion. Do we "actually" need a third party to make our certificate? I mean, we can generate self-certified certificates, right? So, will my production machine not run if I don't use CAcert.org or GoDaddy or Verisign? What if, I go for my self-certified certs and jks?

--
Best,
Zico
Reply | Threaded
Open this post in threaded view
|

Re: Private key generation

Larry Bugbee-2

On May 14, 2011, at 11:54 AM, Zico wrote:
> Do we "actually" need a third party to make our certificate? I mean, we can generate self-certified certificates, right? So, will my production machine not run if I don't use CAcert.org or GoDaddy or Verisign?

It is a matter of trust.  If your server is serving a very small group that will trust your self-signed cert, then fine.  If however your server is to be visited by a large number of people most of which won't know you, they would likely feel better if your cert was obtained from a well-known and trustable 3rd party.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Private key generation

Zico-5


On Sun, May 15, 2011 at 1:55 AM, Larry Bugbee <[hidden email]> wrote:


It is a matter of trust.  If your server is serving a very small group that will trust your self-signed cert, then fine.  If however your server is to be visited by a large number of people most of which won't know you, they would likely feel better if your cert was obtained from a well-known and trustable 3rd party.


Then, no luck! I have to go for 3rd party. So, here are the steps I am going to follow, what do you say?

1. Generate Private key: with openssl genrsa -des3 -out myserv.key 2048
2. Remove passphrase from key:
3. Generate CSR: with openssl req -new -key myserv.key -out myserv.csr
4. Submit this csr into 3rd party
5. get the certificate and SAVE IT AS MYSERV.CRT ( am I correct here? )
6. Concatenation CRT+PRIVATE KEY and SAVE THE CONCATENATION AS PEM FORMAT
7. RE-ENCODE PEM INTO PKCS12
8. Create JKS
9. Now what? how can I install JKS for tomcat and apache? what do you suggest me to do? any link?

--
Best,
Zico