[openssl-users] private key difference: openssl genrsa vs opnessl req newkey

Michele Mase' michele.mase at gmail.com
Wed Jul 26 19:21:43 UTC 2017

So, what should be the command line to use in order to obtain the same key?
openssl genrsa ....
openssl req -nodes -newkey rsa:2048 some_extra_parameters ....
Michele MAsè

On Wed, Jul 26, 2017 at 6:29 PM, Benjamin Kaduk <bkaduk at akamai.com> wrote:

> On 07/26/2017 10:13 AM, Michele Mase' wrote:
> During the generation of x509 certificates, both commands give the same
> results:
> Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out
> example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT
> Department/CN=example.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=SvmGwnxF6Arf5U_XmN1vPPpie6IFH3h5CkVhveCn26I&s=AMT2W-m9xgiUsKMETv-WcWALqfQnX1rujJdNTJsVz1E&e=>
> "
> Command "b": openssl genrsa -out example.key
> Both commands give me a private key without password, a key that is not
> encrypted.
> To remove the passphrase from private key, I use the
> Command "c":openssl rsa -in example.key -out example2.key
> The command "c" against the example.key generated by command "a", gives
> the same private key with different content between --BEGIN RSA and --END
> RSA. Simply, try the following:
> diff example.key example2.key, the files are different.
> The command "c" against example.key generate by the command "b" produces
> the same file. No differences.
> Why?
> Perhaps I missed something in openssl manual ... :(
> These differenced gave me troubles using custom certificates in some
> software.
> Any suggestion?
> The output from openssl req includes an additional layer of encoding and
> the rsaEncryption OID around the actual key parameters, as can be seen
> using openssl asn1parse.  The conversion with 'openssl rsa' removes that
> extra encoding.
> -Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170726/5b1f306c/attachment.html>

More information about the openssl-users mailing list