Re: private key difference: openssl genrsa vs opnessl req newkey

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jul 26, 2017 at 09:21:43PM +0200, Michele Mase' wrote:

> So, what should be the command line to use in order to obtain the same key?
> openssl genrsa ....

This creates keys in a legacy RSA algorithm-specific format.

> openssl req -nodes -newkey rsa:2048 some_extra_parameters ....

This creates keys in the preferred standard PKCS#8 format.

You can use "openssl pkey" to read legacy RSA keys and output
PKCS#8 keys.  Or you can use "openssl genpkey" to generate
PKCS#8 keys directly:

    # RSA
    (umask 077; openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out key.pem)

    # ECDSA P-256
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key.pem)

    # ECDSA P-384
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve -out key.pem)

    # ECDSA P-521
    (umask 077; openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve -out key.pem)

It is unfortunate that OpenSSL 1.0.2 does not accept curve name
aliases for ec_paramgen_curve.  Thus, for example, only "prime256v1"
is accepted for P-256 and not any of its other names.

I've not checked whether this is fixed in OpenSSL 1.1.0.

-- 
	Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux