DKIM: document generation of RSA keys

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 726f3af8a2268034f80c7e9c9a11ae83c1f24639..7d5b3b3cf159ff90aa797e4dd9f38b528cb4f99c 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38932,6 +38932,20 @@ is set.
 .endlist
 
 .new
 .endlist
 
 .new

+To generate keys under OpenSSL:
+.code
+openssl genrsa -out dkim_rsa.private 2048
+openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM
+.endd
+Take the base-64 lines from the output of the second command, concatenated,
+for the DNS TXT record.
+
+Under GnuTLS:
+.code
+certtool --generate-privkey --rsa --bits=2048 --password='' -8 --outfile=dkim_rsa.private
+certtool --load-privkey=dkim_rsa.private --pubkey-info
+.endd
+

 Note that RFC 8301 says:
 .code
 Signers MUST use RSA keys of at least 1024 bits for all keys.
 Note that RFC 8301 says:
 .code
 Signers MUST use RSA keys of at least 1024 bits for all keys.


@@ -38948,8 +38962,9 @@ The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
 for EC keys.
 
 As of writing, producing EC key materials is not well supported
 for EC keys.
 
 As of writing, producing EC key materials is not well supported

-by the major libraries.  GnuTLS 3.6.0 can create a private key:
+by the major libraries.  OpenSSL 1.1.1 and GnuTLS 3.6.0 can create private keys:

 .code
 .code

+openssl genpkey -algorithm ed25519 -out dkim_ed25519.private

 certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private
 .endd
 
 certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private
 .endd