x509v3-sign-rsa, x509v3-ssh-rsa and x509v3-rsa2048-sha256
murugesh pitchaiah
murugesh.pitchaiah at gmail.com
Thu Sep 2 05:19:10 UTC 2021
Thanks for the response Dirk.
I tried, but could not see the certificate public key algorithm - as
x509v3-ssh-rsa or x509v3-rsa2048-sha256.
I use below openssl commands to generate the user certificate:
openssl req -nodes -new -x509 -keyout userkey.pem -out
userreq.pem -days 365 -config openssl.cnf
openssl x509 -x509toreq -in userreq.pem -signkey userkey.pem -out tmp.pem
openssl ca -config openssl.cnf -extensions usr_cert -out
usercert.pem -infiles tmp.pem
I tried varying the bits size (1024/2048/4096) and default_md
(sha1/sha256/sha512) in the openssl.cnf file.
Could anyone please share the steps to generate user certificates of
type: x509v3-ssh-rsa and x509v3-rsa2048-sha256 ?
Thanks & Regards,
Murugesh P.
On 8/24/21, Dirk-Willem van Gulik <dirkx at webweaving.org> wrote:
> On 24 Aug 2021, at 09:47, murugesh pitchaiah <murugesh.pitchaiah at gmail.com>
> wrote:
>>
>> Hi,
>>
>> I am working on generating the x509v3 certificates for ssh user. I see
>> with the default_md as 'sha256', in openssl.cnf file, the
>> key/certificate is generated with algorithm type as 'x509v3-sign-rsa'.
>>
>> I see its signature algorithm is :
>>
>> Signature Algorithm: sha256WithRSAEncryption
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (2048 bit)
>>
>>
>> Can any one please share how to generate certificate for
>> x509v3-ssh-rsa and x509v3-rsa2048-sha256 ? Basically looking for
>> difference between these three type of public key algorithms ,and how
>> to generate certificate of these types:
>>
>> x509v3-sign-rsa, x509v3-ssh-rsa and x509v3-rsa2048-sha256
>>
>> Because, even for x509v3-sign-rsa - I see the size is 2048 bit and it
>> is sha256. Is it something to vary in 'default_md' (or newkey rsa:size
>> and -sha) fields to vary to generate these different cert types ?
>
> Try something like
>
> openssl req -new -x509 -newkey rsa:1024 -sha256 -keyout /dev/stdout -nodes
> -subj /CN=foo |\
> openssl x509 -pubkey -noout | openssl rsa -text -pubin -noout
>
> openssl req -new -x509 -newkey rsa:1024 -sha256 -keyout /dev/stdout -nodes
> -subj /CN=foo |\
> openssl x509 -text -noout | grep Signature
>
> And vary the newkey argument to see what it actually generates as an RSA
> key.
>
> In this example a 1024 bit one. You can also vary sha256 to things like md5,
> etc.
>
> Dw.
More information about the openssl-users
mailing list