Openssl generating 1024 bit keys when default_bits is set to 4096 bit

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl generating 1024 bit keys when default_bits is set to 4096 bit

Ralf Skyper Kaiser
Hi,

OpenSSL 1.0.1e 11 Feb 2013

$ grep bits openssl.cnf
default_bits            = 4096

=> Note that the default_bits are set to 4096.

$ openssl req -config openssl.cnf -nodes -newkey rsa -keyout testkey.pem  -keyform PEM -out testreq.pem -outform PEM
Generating a 4096 bit RSA private key
..++++++
...........................++++++
writing new private key to 'testkey.pem'

=> Note that Openssl tells us that it is generating a 4096 bit key.


$ openssl rsa -text <testkey.pem  | less | grep Key
Private-Key: (1024 bit)

=> ...but openssl generated a 1024 bit key instead.


(The workaround is to force openssl with -newkey rsa:4096.)

Two concerns:
1. Openssl should create a 4096 bit key if the default setting is 4096 bit.
2. Openssl should not show that a 4096 bit key is generated and then generate something much weaker.

regards,

skyper
Reply | Threaded
Open this post in threaded view
|

Re: Openssl generating 1024 bit keys when default_bits is set to 4096 bit

Jan Just Keijser-2
Hi Ralf,

Ralf Skyper Kaiser wrote:

> Hi,
>
> OpenSSL 1.0.1e 11 Feb 2013
>
> $ grep bits openssl.cnf
> default_bits            = 4096
>
> => Note that the default_bits are set to 4096.
>
> $ openssl req -config openssl.cnf -nodes -newkey rsa -keyout
> testkey.pem  -keyform PEM -out testreq.pem -outform PEM
> Generating a 4096 bit RSA private key
> ..++++++
> ...........................++++++
> writing new private key to 'testkey.pem'
>
> => Note that Openssl tells us that it is generating a 4096 bit key.
>
>
> $ openssl rsa -text <testkey.pem  | less | grep Key
> Private-Key: (1024 bit)
>
> => ...but openssl generated a 1024 bit key instead.
>
>
> (The workaround is to force openssl with -newkey rsa:4096.)
>
> Two concerns:
> 1. Openssl should create a 4096 bit key if the default setting is 4096
> bit.
> 2. Openssl should not show that a 4096 bit key is generated and then
> generate something much weaker.
>
the output of the command you gave is indeed confusing, but if you use

  $ openssl req -config openssl.cnf -nodes -new -keyout testkey.pem  
-keyform PEM -out testreq.pem

to generate the key+request the correct value *is* picked up from the
openssl.cnf file.

I don't yet understand why the 'req' command does pick up the setting
from the openssl.cnf file yet it generates the private key using the
default key size.

HTH,

JJK

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]