private key difference: openssl genrsa vs opnessl req newkey

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

private key difference: openssl genrsa vs opnessl req newkey

Michele Mase'
During the generation of x509 certificates, both commands give the same results:

Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
Command "b": openssl genrsa -out example.key

Both commands give me a private key without password, a key that is not encrypted.
To remove the passphrase from private key, I use the
Command "c":openssl rsa -in example.key -out example2.key

The command "c" against the example.key generated by command "a", gives the same private key with different content between --BEGIN RSA and --END RSA. Simply, try the following:
diff example.key example2.key, the files are different.

The command "c" against example.key generate by the command "b" produces the same file. No differences.

Why?
Perhaps I missed something in openssl manual ... :(
These differenced gave me troubles using custom certificates in some software.
Any suggestion?
Regards
Michele MAsè

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: private key difference: openssl genrsa vs opnessl req newkey

OpenSSL - User mailing list
On 07/26/2017 10:13 AM, Michele Mase' wrote:
During the generation of x509 certificates, both commands give the same results:

Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
Command "b": openssl genrsa -out example.key

Both commands give me a private key without password, a key that is not encrypted.
To remove the passphrase from private key, I use the
Command "c":openssl rsa -in example.key -out example2.key

The command "c" against the example.key generated by command "a", gives the same private key with different content between --BEGIN RSA and --END RSA. Simply, try the following:
diff example.key example2.key, the files are different.

The command "c" against example.key generate by the command "b" produces the same file. No differences.

Why?
Perhaps I missed something in openssl manual ... :(
These differenced gave me troubles using custom certificates in some software.
Any suggestion?

The output from openssl req includes an additional layer of encoding and the rsaEncryption OID around the actual key parameters, as can be seen using openssl asn1parse.  The conversion with 'openssl rsa' removes that extra encoding.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: private key difference: openssl genrsa vs opnessl req newkey

Michele Mase'
In reply to this post by Michele Mase'
Tx.
So, what should be the command line to use in order to obtain the same key?
openssl genrsa ....
openssl req -nodes -newkey rsa:2048 some_extra_parameters ....
Michele MAsè

On Wed, Jul 26, 2017 at 6:29 PM, Benjamin Kaduk <[hidden email]> wrote:
On 07/26/2017 10:13 AM, Michele Mase' wrote:
During the generation of x509 certificates, both commands give the same results:

Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
Command "b": openssl genrsa -out example.key

Both commands give me a private key without password, a key that is not encrypted.
To remove the passphrase from private key, I use the
Command "c":openssl rsa -in example.key -out example2.key

The command "c" against the example.key generated by command "a", gives the same private key with different content between --BEGIN RSA and --END RSA. Simply, try the following:
diff example.key example2.key, the files are different.

The command "c" against example.key generate by the command "b" produces the same file. No differences.

Why?
Perhaps I missed something in openssl manual ... :(
These differenced gave me troubles using custom certificates in some software.
Any suggestion?

The output from openssl req includes an additional layer of encoding and the rsaEncryption OID around the actual key parameters, as can be seen using openssl asn1parse.  The conversion with 'openssl rsa' removes that extra encoding.

-Ben


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: private key difference: openssl genrsa vs opnessl req newkey

Michele Mase'
Anyone?

On Wed, Jul 26, 2017 at 9:21 PM, Michele Mase' <[hidden email]> wrote:
Tx.
So, what should be the command line to use in order to obtain the same key?
openssl genrsa ....
openssl req -nodes -newkey rsa:2048 some_extra_parameters ....
Michele MAsè

On Wed, Jul 26, 2017 at 6:29 PM, Benjamin Kaduk <[hidden email]> wrote:
On 07/26/2017 10:13 AM, Michele Mase' wrote:
During the generation of x509 certificates, both commands give the same results:

Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
Command "b": openssl genrsa -out example.key

Both commands give me a private key without password, a key that is not encrypted.
To remove the passphrase from private key, I use the
Command "c":openssl rsa -in example.key -out example2.key

The command "c" against the example.key generated by command "a", gives the same private key with different content between --BEGIN RSA and --END RSA. Simply, try the following:
diff example.key example2.key, the files are different.

The command "c" against example.key generate by the command "b" produces the same file. No differences.

Why?
Perhaps I missed something in openssl manual ... :(
These differenced gave me troubles using custom certificates in some software.
Any suggestion?

The output from openssl req includes an additional layer of encoding and the rsaEncryption OID around the actual key parameters, as can be seen using openssl asn1parse.  The conversion with 'openssl rsa' removes that extra encoding.

-Ben



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: private key difference: openssl genrsa vs opnessl req newkey

Viktor Dukhovni
In reply to this post by Michele Mase'
On Wed, Jul 26, 2017 at 09:21:43PM +0200, Michele Mase' wrote:

> So, what should be the command line to use in order to obtain the same key?
> openssl genrsa ....

This creates keys in a legacy RSA algorithm-specific format.

> openssl req -nodes -newkey rsa:2048 some_extra_parameters ....

This creates keys in the preferred standard PKCS#8 format.

You can use "openssl pkey" to read legacy RSA keys and output
PKCS#8 keys.  Or you can use "openssl genpkey" to generate
PKCS#8 keys directly:

    # RSA
    (umask 077; openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out key.pem)

    # ECDSA P-256
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key.pem)

    # ECDSA P-384
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve -out key.pem)

    # ECDSA P-521
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve -out key.pem)

It is unfortunate that OpenSSL 1.0.2 does not accept curve name
aliases for ec_paramgen_curve.  Thus, for example, only "prime256v1"
is accepted for P-256 and not any of its other names.

I've not checked whether this is fixed in OpenSSL 1.1.0.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: private key difference: openssl genrsa vs opnessl req newkey

Michele Mase'
tx for the support. I will try a solution with the problematic software.
Best regards
Michele MAsè

On Tue, Aug 1, 2017 at 6:55 PM, Viktor Dukhovni <[hidden email]> wrote:
On Wed, Jul 26, 2017 at 09:21:43PM +0200, Michele Mase' wrote:

> So, what should be the command line to use in order to obtain the same key?
> openssl genrsa ....

This creates keys in a legacy RSA algorithm-specific format.

> openssl req -nodes -newkey rsa:2048 some_extra_parameters ....

This creates keys in the preferred standard PKCS#8 format.

You can use "openssl pkey" to read legacy RSA keys and output
PKCS#8 keys.  Or you can use "openssl genpkey" to generate
PKCS#8 keys directly:

    # RSA
    (umask 077; openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out key.pem)

    # ECDSA P-256
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key.pem)

    # ECDSA P-384
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve -out key.pem)

    # ECDSA P-521
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve -out key.pem)

It is unfortunate that OpenSSL 1.0.2 does not accept curve name
aliases for ec_paramgen_curve.  Thus, for example, only "prime256v1"
is accepted for P-256 and not any of its other names.

I've not checked whether this is fixed in OpenSSL 1.1.0.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...