OpenSSL has long limited RSA key moduli to 16384 bits, far more than 2048.
It also has limits on other kinds of keys; if you meant to ask about them, be specific. Do you really mean 0.9.8 with no suffix? Vanilla or patched? The oldest and newest 0.9.8 versions I have installed (g and x) handle RSA-2048 fine - even with SHA-256 for signature which your example doesn't do. (NIST rates RSA-2048 strength equivalent to 112 bits, but SHA-1 drags signature strength down to 80 bits or less, especially for partly-chosen data like certs.) Does the error occur with s_client or something else, and if something else can you reproduce it with s_client? What exactly is the error? From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mithun Kumar Sent: Friday, March 14, 2014 11:53 To: openssl-users@openssl.org Subject: *** Spam *** Re: Need understanding on certutil output. Hello Viktor, Thanks for the reply. Is there any limitations with Key Size? When cert 2 is received by the client from the server. I get a incorrect tag length error ? Currently i am using Openssl Version 0.9.8. Same cert(Cert2) works correctly for v1.0.0.d -Thanks mithun On Fri, Mar 14, 2014 at 8:02 PM, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: On Fri, Mar 14, 2014 at 06:18:49PM +0530, Mithun Kumar wrote: > What is the difference between these two formats The first contains a 1024 bit RSA-SHA1 public key, the second a 2048-bit key. > Below is the ASN output using certuil tool. > > *Cert1:-* > > 0618: 30 0d ; SEQUENCE (d Bytes) > 061a: | 06 09 ; OBJECT_ID (9 Bytes) > 061c: | | 2a 86 48 86 f7 0d 01 01 05 > | | ; 1.2.840.113549.1.1.5 sha1RSA > 0625: | 05 00 ; NULL (0 Bytes) > 0627: 03 81 81 ; BIT_STRING (81 Bytes) > > *Cert2:-* > > 0780: 30 0d ; SEQUENCE (d Bytes) > 0782: | 06 09 ; OBJECT_ID (9 Bytes) > 0784: | | 2a 86 48 86 f7 0d 01 01 05 > | | ; 1.2.840.113549.1.1.5 sha1RSA > 078d: | 05 00 ; NULL (0 Bytes) > 078f: 03 82 01 01 ; BIT_STRING (101 Bytes) > 0793: 00 > > What does the highlighted values indicate? Any idea? The signature algorithm name and key length. The byte counts are reported in hex by the tool you're using, so 0x101 is 257 decimal, and 0x81 is 129 decimal. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org