Quote:
I don't intend to make a key with a passphrase. So I will just make the key as such:
openssl genrsa -aes256 4096 > server.key
|
if you don't want an encrypted key, then you shouldn't specify the -aes256 encryption option.
regarding -sha256, the req man page says this:
Code:
-[digest]
this specifies the message digest to sign the request with (such as -md5, -sha1). This
overrides the digest algorithm specified in the configuration file. For full list of
possible digests see openssl dgst -h output.
i suppose the message digest would be used in verifying ("openssl req -verify -in server.csr") that the request has not been altered. you can see the digest of the request in the output of "openssl req -text -noout -in server.csr" (look for "Signature Algorithm").
if you're going to make a self-signed certificate, you can shorten the procedure to a single step. here, -sha256 specifies the digest algorithm for the certificate, not for the request, which does not even get produced with this command. the -nodes causes an unencrypted key to be outputted.
Code:
openssl req -new -x509 -sha256 -days 365 -nodes -newkey rsa:4096 -keyout server.key -out server.crt
Quote:
Also, for the single session key that gets created dynamically...how do I specify what encryption I want to use? Can't I use AES for the stream encryption(single session key) since it is symmetric?
|
that would have to be a cipher setting on nginx. but, a symmetric key is what is used for the session key. the (asymmetric) key you generate with openssl is used to exchange the session key between client and server.