DKIM: document generation of RSA keys

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 726f3af8a2268034f80c7e9c9a11ae83c1f24639..7d5b3b3cf159ff90aa797e4dd9f38b528cb4f99c 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38932,6 +38932,20 @@ is set.
 .endlist
 
 .new
+To generate keys under OpenSSL:
+.code
+openssl genrsa -out dkim_rsa.private 2048
+openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM
+.endd
+Take the base-64 lines from the output of the second command, concatenated,
+for the DNS TXT record.
+
+Under GnuTLS:
+.code
+certtool --generate-privkey --rsa --bits=2048 --password='' -8 --outfile=dkim_rsa.private
+certtool --load-privkey=dkim_rsa.private --pubkey-info
+.endd
+
 Note that RFC 8301 says:
 .code
 Signers MUST use RSA keys of at least 1024 bits for all keys.
@@ -38948,8 +38962,9 @@ The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
 for EC keys.
 
 As of writing, producing EC key materials is not well supported
-by the major libraries.  GnuTLS 3.6.0 can create a private key:
+by the major libraries.  OpenSSL 1.1.1 and GnuTLS 3.6.0 can create private keys:
 .code
+openssl genpkey -algorithm ed25519 -out dkim_ed25519.private
 certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private
 .endd