[openssl-users] private key difference: openssl genrsa vs opnessl req newkey

Michele Mase' michele.mase at gmail.com
Tue Aug 1 12:46:13 UTC 2017


Anyone?

On Wed, Jul 26, 2017 at 9:21 PM, Michele Mase' <michele.mase at gmail.com>
wrote:

> Tx.
> So, what should be the command line to use in order to obtain the same key?
> openssl genrsa ....
> openssl req -nodes -newkey rsa:2048 some_extra_parameters ....
> Michele MAsè
>
> On Wed, Jul 26, 2017 at 6:29 PM, Benjamin Kaduk <bkaduk at akamai.com> wrote:
>
>> On 07/26/2017 10:13 AM, Michele Mase' wrote:
>>
>> During the generation of x509 certificates, both commands give the same
>> results:
>>
>> Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out
>> example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT
>> Department/CN=example.com
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=SvmGwnxF6Arf5U_XmN1vPPpie6IFH3h5CkVhveCn26I&s=AMT2W-m9xgiUsKMETv-WcWALqfQnX1rujJdNTJsVz1E&e=>
>> "
>> Command "b": openssl genrsa -out example.key
>>
>> Both commands give me a private key without password, a key that is not
>> encrypted.
>> To remove the passphrase from private key, I use the
>> Command "c":openssl rsa -in example.key -out example2.key
>>
>> The command "c" against the example.key generated by command "a", gives
>> the same private key with different content between --BEGIN RSA and --END
>> RSA. Simply, try the following:
>> diff example.key example2.key, the files are different.
>>
>> The command "c" against example.key generate by the command "b" produces
>> the same file. No differences.
>>
>> Why?
>> Perhaps I missed something in openssl manual ... :(
>> These differenced gave me troubles using custom certificates in some
>> software.
>> Any suggestion?
>>
>>
>> The output from openssl req includes an additional layer of encoding and
>> the rsaEncryption OID around the actual key parameters, as can be seen
>> using openssl asn1parse.  The conversion with 'openssl rsa' removes that
>> extra encoding.
>>
>> -Ben
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170801/e44b7088/attachment.html>


More information about the openssl-users mailing list