Generate a Private Key for Use with Certificates
A private key is required for encrypting the certificate used in authenticating the peers in TLS -secured communication. It is also used for data encryption, typically to encrypt the exchange of symmetric keys that are used for the duration of the TLS session.
Private keys are usually based on the RSA algorithm, but it is also possible to use other algorithms such as ECDSA. The TLS connector only supports private keys based on RSA.
When creating a private key, you need to consider the strength of the encryption required. The size of the key (in bits) determines how strong it is, but a longer key decreases the speed with which a TLS connection can be established. 2048-bit keys provide a good balance between security and performance, but you can choose 1024-bit encryptions for faster performance, or choose 4096-bit encryption for extra protection.
When generating RSA keys, you are asked for a pass phrase to protect the key. A strong pass phrase contains at least 35 characters, and should contain words that are not found in any language dictionary. (See https://en.wikipedia.org/wiki/Passphrase.) Do not use commas, or leading and trailing whitespace in the pass phrase.
The following examples use OpenSSL 1.01 to generate different types of private keys for use with certificates, but other tools can be used.
Note: If you use OpenSSL 1.0.2, use the
genpkey command with the -algorithm flag to specify
RSA, DSA or EC. Do not use the
DH (Diffie Hellman) algorithm, because it is not a signing algorithm and cannot be use to sign certificates.
-
To generate an RSA private key with OpenSSL,
use the
genrsaoption. The parameters ofopenssl genrsadetermine the type of encryption used. For example:- For 1024-bit DES3 encryption:
openssl genrsa -des3 -out server.keypw 1024
- For 2048-bit AES encryption:
openssl genrsa -aes256 -out server.keypw 2048
Tip: In these examples, we are naming the key file server.keypw to indicate that the key is protected by a secret pass phrase.
- For 1024-bit DES3 encryption:
-
To generate an ECDSA private key with
OpenSSL, use the
ecparamoption, which uses a curve instead of number of bits.-
To find out the available curves, use the
-list_curvesflag. For example:openssl ecparam -list_curves
-
Generate the key using the desired curve. For
example:
openssl ecparam -name prime256v1 -genkey -out server.key
No pass phrase is required.
-
To find out the available curves, use the
