On 26 Jul 2011, at 10:16 PM, Katif wrote:
> Can you tell me what are the application dependency factor here so we'll be
> able to chase a limit?
>
> It is used as an RSA key exchange certification/private key pairing.
>
> Thanks...
The two things that are variable size are the key material itself, and the many fields that can occur in a certificate. A private key file just has key material, so its size should be proportional to the key size in bits (plus constant overhead); a certificate has key material for the key it represents, a signature from the issuer's key (which may have a size dependent on that key's size), and an arbitrary collection of other data that can be incorporated into the certificate when it's created (such as the name or address of the subject, or a list of permitted/forbidden uses, CRL distribution points, legal boilerplate, etc). I don't think there's any limit to the amount of extension data that can be included in a certificate, though in practice it's rarely more than a few kilobytes.
I'd suggest parsing a handful of files using "openssl asn1parse" to get an idea of what's in there and how large each thing is. The sizes and offsets that asn1parse gives you refer to the DER-encoded file; a PEM-encoded file has four bytes for every three of DER, plus another few percent overhead for line endings.
As Kenneth Goldman says, though, you need to consider what will happen when you encounter a certificate larger than you expect, because it *will* happen.
______________________________________________________________________
OpenSSL Project
http://www.openssl.orgUser Support Mailing List
[hidden email]
Automated List Manager
[hidden email]