[openssl-users] private key difference: openssl genrsa vs opnessl req newkey

Benjamin Kaduk bkaduk at akamai.com
Wed Jul 26 16:29:15 UTC 2017

On 07/26/2017 10:13 AM, Michele Mase' wrote:
> During the generation of x509 certificates, both commands give the
> same results:
> Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key
> -out example.csr -subj "/C=GB/ST=London/L=London/O=Global
> Security/OU=IT Department/CN=example.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=SvmGwnxF6Arf5U_XmN1vPPpie6IFH3h5CkVhveCn26I&s=AMT2W-m9xgiUsKMETv-WcWALqfQnX1rujJdNTJsVz1E&e=>"
> Command "b": openssl genrsa -out example.key
> Both commands give me a private key without password, a key that is
> not encrypted.
> To remove the passphrase from private key, I use the
> Command "c":openssl rsa -in example.key -out example2.key
> The command "c" against the example.key generated by command "a",
> gives the same private key with different content between --BEGIN RSA
> and --END RSA. Simply, try the following:
> diff example.key example2.key, the files are different.
> The command "c" against example.key generate by the command "b"
> produces the same file. No differences.
> Why?
> Perhaps I missed something in openssl manual ... :(
> These differenced gave me troubles using custom certificates in some
> software.
> Any suggestion?

The output from openssl req includes an additional layer of encoding and
the rsaEncryption OID around the actual key parameters, as can be seen
using openssl asn1parse.  The conversion with 'openssl rsa' removes that
extra encoding.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170726/93760baa/attachment.html>

More information about the openssl-users mailing list