Fwd: Trying to generate a RSA private key

Viktor Dukhovni openssl-users at dukhovni.org
Wed Feb 16 14:24:17 UTC 2022

On Wed, Feb 16, 2022 at 11:16:03AM +0100, mary mary wrote:

> But now the issue would become different, and I'll try to share it
> possibly even if the subject changes, in case i could get advice.  I
> needed the private key for adding it in wireshark for decoding some
> encrypted messages exchanged between "my" server and a client.  If the
> private key does not exist, how we could decode the messages?

Well, now that we're past the XY problem, there's good news and bad

Good news:

    * If you control the server, the server's private key is typically
      stored in the server's private key file (possible same as its
      certificate file).  If the server is OpenSSL rather than Java
      based, it would typically already be in PEM format, ...

Bad news:

    * Even with the server's private key, you generally can't decrypt TLS
      traffic, when, as is typical and best-practice, the negotiated
      cipher has forward-secrecy (uses DH or ECDH key exchange).

To actually decode the traffic, you'd need to configure the server or
client to record the session "master secret".  A client-side example
is discussed in:


Alternatively, In the blog post at:


there's an example which downgrades the client TLS parameters to use at
most TLS 1.2 and RSA key transport (instead of DH), which then makes it
it possible to use the server's private key to decrypt the traffic.


More information about the openssl-users mailing list