Most Unix-based programs that use TLS, and some Windows ones, use the OpenSSL package for cryptographic support (http://www.openssl.org/). OpenSSL provides command line programs that manipulate keys and certificates, and a cryptographic library used by these utilities and by programs such as Apache. OpenSSL is a development of an earlier package called SSLeay and this older name still appears occasionally.
Red Hat Linux, Fedora and SuSE Linux include OpenSSL as a package (normally in the openssl RPM). Debian provides pre-built packages that you can install for this functionality. Other Linux and Unix installations may be similar. OpenSSL can be built from source, which is available from http://www.openssl.org/source/.
OpenSSL can be built for Windows, but requires development tools that are not normally available by default. Binary copies of OpenSSL for Windows can sometimes be found with a web search - at present copies appear to be available from http://hunter.campbus.com/. Beware that having multiple copies of the OpenSSL .dll files on the same Windows server can lead to problems that are difficult to isolate.
Most command-line interactions with OpenSSL use the openssl command, which itself accepts a sub-command and a range of command-line arguments. These sub-commands and arguments can be confusing and there are often many different ways to achieve the same thing. On Unix systems the manual entry for openssl (man openssl) and for the individual sub-commands can be helpful. The examples below are taken from a Unix system - appropriate changes will be needed under Windows.
To generate an RSA key pair we use the genrsa sub-command.
$ openssl genrsa -des3 -out WWW.key 2048 Generating RSA private key, 2048 bit long modulus ...................+++ ...................+++ e is 65537 (0x10001) Enter pass phrase for WWW.key: password Verifying - Enter pass phrase for WWW.key: password
Arguments used
-des3
encrypt the result using DES3
-out
store the result in this file
2048
requested key length
openssl requires a source of randomness
in order to generate these keys. On modern Unix systems this is
normally derived automatically from a random number source in
the kernel. On other systems, and under Windows, it may be
necessary to use the -rand
argument to supply
openssl with one or more files containing
rapidly changing data.
The generated RSA key pair is encrypted using the supplied pass phrase, since the private component of the pair must remain private. The pass phrase itself must therefore be kept secret but must also not be forgotten, or lost when the only person who knows it leaves, etc. Without it the keys (and any certificates based on these keys) become useless.