5.2.2 Creating a private key for the Web server
This section describes how to create a private key for the Web server by using the openssl.bat command or openssl.sh command for each encryption type.
- Organization of this subsection
(1) When using RSA encryption (openssl.bat genrsa command or openssl.sh genrsa command)
Create a private key for the Web server by using the openssl.bat genrsa command or openssl.sh genrsa command. The created Web server private key file is specified in the SSLCertificateKeyFile directive.
The private key is created in the format conforming to PKCS#1.
(a) Format
In Windows
openssl.bat genrsa -rand file-name -out key-file [1024|2048|4096]
In UNIX
openssl.sh genrsa -rand file-name[:file-name...] -out key-file [1024|2048|4096]
(b) Parameters
-
-rand file-name (in Windows)
-
-rand file-name [:file-name...] (in UNIX)
Specify any file to be used for random number generation. You must specify an appropriate file whose size is large enough for the random number generation. In Windows, you can specify only one file name. Multiple file names cannot be specified.
-
-out key-file
Specify the file to which the Web server private key is output.
-
[1024|2048|4096]
Specify the bit length of the Web server private key.
(c) Usage example
The following example shows how to create the Web server private key httpsdkey.pem in the format conforming to PKCS#1.
In Windows
openssl.bat genrsa -rand file1 -out httpsdkey.pem 2048
file1: Arbitrary files
In UNIX
openssl.sh genrsa -rand file1:file2:file3:file4:file5 -out httpsdkey.pem 2048
file1, file2, file3, file4 and file5: Arbitrary files
(2) When using elliptic curve cryptography (openssl.bat ecparam command or openssl.sh ecparam command)
Create a private key for the Web server by using the openssl.bat ecparam command or openssl.sh ecparam command. The created Web server private key file can be specified in the SSLCertificateKeyFile directive.
(a) Format
In Windows
openssl.bat ecparam -genkey -noout -rand file-name -name elliptic-curve-name -out key-file
In UNIX
openssl.sh ecparam -genkey -noout -rand file-name [:file-name...] -name elliptic-curve-name -out key-file
(b) Parameters
-
-rand file-name (in Windows)
-
-rand file-name [:file-name...] (in UNIX)
Specify any file to be used for random number generation. You must specify an appropriate file whose size is large enough for the random number generation. In Windows, you can specify only one file name. Multiple file names cannot be specified.
-
-name elliptic-curve-name
Specify the name of the elliptic curve to be used for generating a private key. Specify one of the following elliptic curve cryptography types:
-
secp384r1
-
secp521r1
-
prime256v1
-
P-256
-
P-384
-
P-521
-
-
-out key-file
Specify the file to which the Web server private key is output.
(c) Usage example
The following example shows how to create the private key httpsdkey.pem that uses elliptic curve cryptography. When using the private key on the Web server, convert httpsdkey.pem to the PKCS#8 format.
In Windows
openssl.bat ecparam -genkey -noout -rand file1 -name P-256 -out httpsdkey.pem
file1: Arbitrary files
In UNIX
openssl.sh ecparam -genkey -noout -rand file1:file2:file3:file4:file5 -name P-256 -out httpsdkey.pem
file1, file2, file3, file4 and file5: Arbitrary files