Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Generate Private and Public key OpenSSL

Tags:

openssl

rsa

public-key

private-key

I have the following commands for OpenSSL to generate Private and Public keys:

openssl genrsa –aes-128-cbc –out priv.pem –passout pass:[privateKeyPass] 2048

and

openssl req –x509 –new –key priv.pem –passin pass:[privateKeyPass] -days 3650 –out cert.cer

... but they are not working. For the first command I get the following error :

usage: genrsa [args] [numbits]
 -des            encrypt the generated key with DES in cbc mode
 -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)
 -seed
                 encrypt PEM output with cbc seed
 -aes128, -aes192, -aes256
                 encrypt PEM output with cbc aes
 -camellia128, -camellia192, -camellia256
                 encrypt PEM output with cbc camellia
 -out file       output the key to 'file
 -passout arg    output file pass phrase source
 -f4             use F4 (0x10001) for the E value
 -3              use 3 for the E value
 -engine e       use engine e, possibly a hardware device.
 -rand file:file:...
                 load the file (or the files in the directory) into
                 the random number generator

What am I doing wrong?

Edit: I solved the first command :

openssl genrsa -aes128 -out privkey.pem 2048

But now I'm getting an error with the second:

unknown option –x509
like image 219
kozla13 Avatar asked Sep 28 '12 09:09

kozla13

Video Answer

2 Answers

'genrsa' generates just an RSA key.

'req' then uses that key to make a x509 style request.

If you just need a rsa key pair - use genrsa.

If you need a keypair and a signed x509 request you use 'genrsa' and then 'req'.

Optionally 'req' can also generate that key for you (i.e. it encapsulates the 'genrsa' command (and the gendh).

So:

 openssl genrsa -aes128 -out privkey.pem 2048
 openssl req -new -x509 -key privkey.pem

is almost equivalent to

 openssl req -new -x509 -keyout privkey.pem  -newkey rsa:2048

except that unlike 'genrsa', 'req' does not allow you to specify aes128 as the encryption.

So in a lot of enterprise settings one does it in two steps as to get sufficient control over the key encryption applied.

like image 137
Dirk-Willem van Gulik Avatar answered Oct 08 '22 05:10

Dirk-Willem van Gulik

As I can see from the output, you choose wrong algorithm. Shouldn't you pass -aes128 instead of -aes-128-cbc?

From manual I assume that -aes-128-cbc is a proper parameter for openssl enc, but I don't know if it should work for genrsa.

like image 39
Piotr Zierhoffer Avatar answered Oct 08 '22 03:10

Piotr Zierhoffer
Sign in to Comment

Related questions

Interoperability between RSACryptoServiceProvider and openSSL
OpenSSL version mismatch. Built against 1000105f, you have 10001080
Error installing Ruby 2.3.8 in OSX 10.15.2 Catalina using RVM; OpenSSL not found
Digitally signing a PDF, using PHP, Zend, and openssl
Bad Magic Number error when trying to Decrypt file in OpenSSL
Java equivalent to OpenSSL s_client command
Difference between .so file and .a file?
Can I obtain TLS secrets from an HTTP client to decrypt my own HTTPS conversation?
Decrypt string in C# that was encrypted with PHP openssl_encrypt
openssl_pkey_new() throwing errors -- Proper openssl.cnf setup for php
CertificateException - OpenSSLX509CertificateFactory$ParsingException
SSL operation failed with code 1: dh key too small
ssl/asyncio: traceback even when error is handled
OpenSSL unable to get local issuer certificate unless CAfile is explicitly specified
fabric keeps asking for password using SSH connection
How to add custom field to certificate using openssl
openssl / ctls trouble with vapor 2
Extract pem certificate information programmatically using openssl
Generating an OpenSSL Certificate Signing Request in iOS with Keychain stored keys
Handling SSL_shutdown correctly

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!