[openssl-users] private key difference: openssl genrsa vs opnessl req newkey
Michele Mase'
michele.mase at gmail.com
Wed Aug 2 21:22:34 UTC 2017
tx for the support. I will try a solution with the problematic software.
Best regards
Michele MAsè
On Tue, Aug 1, 2017 at 6:55 PM, Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:
> On Wed, Jul 26, 2017 at 09:21:43PM +0200, Michele Mase' wrote:
>
> > So, what should be the command line to use in order to obtain the same
> key?
> > openssl genrsa ....
>
> This creates keys in a legacy RSA algorithm-specific format.
>
> > openssl req -nodes -newkey rsa:2048 some_extra_parameters ....
>
> This creates keys in the preferred standard PKCS#8 format.
>
> You can use "openssl pkey" to read legacy RSA keys and output
> PKCS#8 keys. Or you can use "openssl genpkey" to generate
> PKCS#8 keys directly:
>
> # RSA
> (umask 077; openssl genpkey -algorithm rsa -pkeyopt
> rsa_keygen_bits:2048 -out key.pem)
>
> # ECDSA P-256
> (umask 077; openssl genpkey -algorithm ec -pkeyopt
> ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key.pem)
>
> # ECDSA P-384
> (umask 077; openssl genpkey -algorithm ec -pkeyopt
> ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve -out key.pem)
>
> # ECDSA P-521
> (umask 077; openssl genpkey -algorithm ec -pkeyopt
> ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve -out key.pem)
>
> It is unfortunate that OpenSSL 1.0.2 does not accept curve name
> aliases for ec_paramgen_curve. Thus, for example, only "prime256v1"
> is accepted for P-256 and not any of its other names.
>
> I've not checked whether this is fixed in OpenSSL 1.1.0.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170802/a755302d/attachment.html>
More information about the openssl-users
mailing list