Update openssl chapter based on modern certificate requirements

All Certificate Authorities now require 2048 bit keys with SHA256 hashes
This change brings our documentation inline with that requirement

PR:		199379
Submitted by:	Roland van Laar <roland@micite.net> (original)
Approved by:	wblock (mentor)
Differential Revision:	https://reviews.freebsd.org/D2836

en_US.ISO8859-1/books/handbook/security/chapter.xml

@@ -1840,6 +1840,11 @@ kadmind5_server_enable="YES"</programlisting>
       example of how to create a <acronym>CA</acronym> for signing
       one's own certificates.</para>
 
+    <para>For more information about <acronym>SSL</acronym>, read the
+      free <link
+	xlink:href="https://www.feistyduck.com/books/openssl-cookbook/">OpenSSL
+	Cookbook</link>.</para>
+
     <sect2>
       <title>Generating Certificates</title>
 
@@ -1858,12 +1863,11 @@ kadmind5_server_enable="YES"</programlisting>
 	verifying the certificate will issue a warning to the user,
 	rendering the verification provided by the certificate as
 	useless.</para>
-
-      <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
-Generating a 1024 bit RSA private key
-................++++++
-.......................................++++++
-writing new private key to 'cert.pem'
+      <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048</userinput>
+Generating a 2048 bit RSA private key
+..................+++
+.............................................................+++
+writing new private key to 'cert.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
@@ -1882,7 +1886,7 @@ Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></user
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
-A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
+A challenge password []:
 An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
 
       <para>Other options, such as the expire time and alternate
@@ -1896,7 +1900,7 @@ An optional company name []:<userinput><replaceable>Another Name</replaceable></
 	<acronym>CA</acronym> who will validate the entered
 	credentials, sign the request, and return the signed
 	certificate.  The second file,
-	<filename>cert.pem</filename>, is the private key for the
+	<filename>cert.key</filename>, is the private key for the
 	certificate and should be stored in a secure location.  If
 	this falls in the hands of others, it can be used to
 	impersonate the user or the server.</para>
@@ -1905,29 +1909,17 @@ An optional company name []:<userinput><replaceable>Another Name</replaceable></
 	is not required, a self-signed certificate can be created.
 	First, generate the <acronym>RSA</acronym> key:</para>
 
-      <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput>
+      <screen>&prompt.root; <userinput>openssl genrsa -rand -genkey -out cert.key 2048</userinput>
 0 semi-random bytes loaded
-Generating DSA parameters, 1024 bit long prime
-This could take some time
-.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
-..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen>
+Generating RSA private key, 2048 bit long modulus
+.............................................+++
+.................................................................................................................+++
+e is 65537 (0x10001)</screen>
 
-      <para>Next, generate the <acronym>CA</acronym> key.  When
-	prompted, enter a passphrase between 4 to 1023 characters.
-	Remember this passphrase as it is needed whenever the key is
-	used to sign a certificate.</para>
+      <para>Use this key to create a self-signed certificate.
+	Follow the usual prompts for creating a certificate:</para>
 
-      <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput>
-Generating DSA key, 1024 bits
-Enter PEM pass phrase:
-Verifying - Enter PEM pass phrase:</screen>
-
-      <para>Use this key to create a self-signed certificate.  When
-	prompted, enter the passphrase.  Then follow the usual prompts
-	for creating a certificate:</para>
-
-      <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput>
-Enter pass phrase for myca.key:
+      <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256</userinput>
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
@@ -1944,11 +1936,11 @@ Common Name (e.g. server FQDN or YOUR name) []:<userinput><replaceable>localhost
 Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen>
 
       <para>This will create two new files in the current directory: a
-	certificate authority signature file,
-	<filename>myca.key</filename>, and the certificate itself,
-	<filename>new.crt</filename>.  These should be placed in a
-	directory, preferably under <filename>/etc</filename>, which
-	is readable only by <systemitem
+	private key file
+	<filename>cert.key</filename>, and the certificate itself,
+	<filename>cert.crt</filename>.  These should be placed in a
+	directory, preferably under <filename>/etc/ssl/</filename>,
+	which is readable only by <systemitem
 	  class="username">root</systemitem>.  Permissions of
 	<literal>0700</literal> are appropriate for these files and
 	can be set using <command>chmod</command>.</para>