'difference between -newcert, -newreq, -newreq-nodes?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    difference between -newcert, -newreq, -newreq-nodes?
From:       Marco Fioretti <mfioretti () mclink ! it>
Date:       2007-06-15 9:00:58
Message-ID: 1.3.200706151100.88771 () mclink ! it
[Download RAW message or body]

Hello,

I only want to:

* be my own CA in order to

* create a self signed certificate and key (in a separate file) to
  use for encrypted communication between my home email client and a Postfix/dovecot
  server I am building.

* make sure that the private key is not encrypted, so the server restarts unattended
  in case of a reboot.

now, the online openssl man page of CA.pl \
(http://www.openssl.org/docs/apps/CA.pl.html) says:

#########################################

-newcert
    creates a new self signed certificate. The private key and certificate are \
written to the file ``newreq.pem''.

-newreq
    creates a new certificate request. The private key and request are written to the \
file ``newreq.pem''.

-newreq-nodes
    is like -newreq except that the private key will not be encrypted.

##########################################

The questions are:

1) what is the actual difference between "creating a new
certificate request" and "creating a new self signed
certificate"?? Why there are "certificates" and "certificates
*requests*"? What is the exact doc to read to understand this
point?

2) which of these options are needed, and in in which order,
   to do all and only what I described at the beginning of
   this message? Is this command sequence the right one for
   this scenario:

./CA -newca
./CA -newreq-nodes

or do I also have to add:

./CA -sign

or something else?

3) Running the two commands in 2) I will have (if I understand
   correctly) the new certificate and key all in one file
   (newreq.pem). How to get them in separate files? Can I just
   cut the key part and paste it in another file or there is
   a better way?

I *have* already checked several online tutorial but frankly
they do not make these points clear (not to mention that
some are pretty old and quite a few of the others talk about
a CA _shell_ script and that, on Centos at least,
you do find packaged a CA shell script and not a CA.pl one)

Thank you in advance for any feedback,

Marco


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic