RSA PSS RSAE Cert Generation

Matt Caswell matt at
Fri Jun 14 14:56:59 UTC 2019

On 14/06/2019 13:28, Raja Ashok wrote:
> Hi All,
> For using with TLS1.3, I am able to generate rsa_pss_pss cert (Both Public key
> and Signature of RSA_PSS OID) with the below script.
> Can some one help me to find out the command for generating rsa_pss_rsae cert
> (Public key of rsaEncryption OID and Signature of RSA PSS OID) ?

It's not entirely clear to me what you are asking for. In your script you
generate a root certificate and a server certificate. Both the root and the
server certificate use the RSA PSS OID. The signature in the server certificate
will be PSS because the root is using the PSS OID.

If you want to generate a server certificate that uses the rsaEncryption OID
then just drop the "-sigopt rsa_padding_mode:pss" option from the command
generating the serv_req.pem file. The rsaEncryption OID is the default.

The signature in the certificate depends on the oid in the root certificate and
how you sign using it. Since your root uses the RSA PSS OID then the signature
in the server cert will still be PSS.

But I'm not sure that is what you are actually asking for. There is no such
thing as an "rsa_pss_rsae" certificate. I think you are confusing the sig algs
from TLSv1.3 with the certificate type. In order to use the "rsa_pss_rsae" sig
alg in TLSv1.3 all you need is an RSA certificate with the rsaEncryption OID. It
makes no difference what the signature in the certificate is (that is only
relevant for verifying the chain). As long as you use a cert with the
rsaEncryption OID in it, and you negotiate TLSv1.3, then any signatures
generated during the handshake will be PSS signatures using an rsa_pss_rsae sig alg.


More information about the openssl-users mailing list