Re: [openssl-users] private key difference: openssl genrsa vs opnessl req newkey

2017-08-02 Thread Michele Mase' 
tx for the support. I will try a solution with the problematic software.
Best regards
Michele MAsè

On Tue, Aug 1, 2017 at 6:55 PM, Viktor Dukhovni 
wrote:

> On Wed, Jul 26, 2017 at 09:21:43PM +0200, Michele Mase' wrote:
>
> > So, what should be the command line to use in order to obtain the same
> key?
> > openssl genrsa 
>
> This creates keys in a legacy RSA algorithm-specific format.
>
> > openssl req -nodes -newkey rsa:2048 some_extra_parameters 
>
> This creates keys in the preferred standard PKCS#8 format.
>
> You can use "openssl pkey" to read legacy RSA keys and output
> PKCS#8 keys.  Or you can use "openssl genpkey" to generate
> PKCS#8 keys directly:
>
> # RSA
> (umask 077; openssl genpkey -algorithm rsa -pkeyopt
> rsa_keygen_bits:2048 -out key.pem)
>
> # ECDSA P-256
> (umask 077; openssl genpkey -algorithm ec -pkeyopt
> ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key.pem)
>
> # ECDSA P-384
> (umask 077; openssl genpkey -algorithm ec -pkeyopt
> ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve -out key.pem)
>
> # ECDSA P-521
> (umask 077; openssl genpkey -algorithm ec -pkeyopt
> ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve -out key.pem)
>
> It is unfortunate that OpenSSL 1.0.2 does not accept curve name
> aliases for ec_paramgen_curve.  Thus, for example, only "prime256v1"
> is accepted for P-256 and not any of its other names.
>
> I've not checked whether this is fixed in OpenSSL 1.1.0.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] private key difference: openssl genrsa vs opnessl req newkey

2017-08-01 Thread Viktor Dukhovni 
On Wed, Jul 26, 2017 at 09:21:43PM +0200, Michele Mase' wrote:

> So, what should be the command line to use in order to obtain the same key?
> openssl genrsa 

This creates keys in a legacy RSA algorithm-specific format.

> openssl req -nodes -newkey rsa:2048 some_extra_parameters 

This creates keys in the preferred standard PKCS#8 format.

You can use "openssl pkey" to read legacy RSA keys and output
PKCS#8 keys.  Or you can use "openssl genpkey" to generate
PKCS#8 keys directly:

# RSA
(umask 077; openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 
-out key.pem)

# ECDSA P-256
(umask 077; openssl genpkey -algorithm ec -pkeyopt 
ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key.pem)

# ECDSA P-384
(umask 077; openssl genpkey -algorithm ec -pkeyopt 
ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve -out key.pem)

# ECDSA P-521
(umask 077; openssl genpkey -algorithm ec -pkeyopt 
ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve -out key.pem)

It is unfortunate that OpenSSL 1.0.2 does not accept curve name
aliases for ec_paramgen_curve.  Thus, for example, only "prime256v1"
is accepted for P-256 and not any of its other names.

I've not checked whether this is fixed in OpenSSL 1.1.0.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] private key difference: openssl genrsa vs opnessl req newkey

2017-08-01 Thread Michele Mase' 
Anyone?

On Wed, Jul 26, 2017 at 9:21 PM, Michele Mase' 
wrote:

> Tx.
> So, what should be the command line to use in order to obtain the same key?
> openssl genrsa 
> openssl req -nodes -newkey rsa:2048 some_extra_parameters 
> Michele MAsè
>
> On Wed, Jul 26, 2017 at 6:29 PM, Benjamin Kaduk  wrote:
>
>> On 07/26/2017 10:13 AM, Michele Mase' wrote:
>>
>> During the generation of x509 certificates, both commands give the same
>> results:
>>
>> Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out
>> example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT
>> Department/CN=example.com
>> 
>> "
>> Command "b": openssl genrsa -out example.key
>>
>> Both commands give me a private key without password, a key that is not
>> encrypted.
>> To remove the passphrase from private key, I use the
>> Command "c":openssl rsa -in example.key -out example2.key
>>
>> The command "c" against the example.key generated by command "a", gives
>> the same private key with different content between --BEGIN RSA and --END
>> RSA. Simply, try the following:
>> diff example.key example2.key, the files are different.
>>
>> The command "c" against example.key generate by the command "b" produces
>> the same file. No differences.
>>
>> Why?
>> Perhaps I missed something in openssl manual ... :(
>> These differenced gave me troubles using custom certificates in some
>> software.
>> Any suggestion?
>>
>>
>> The output from openssl req includes an additional layer of encoding and
>> the rsaEncryption OID around the actual key parameters, as can be seen
>> using openssl asn1parse.  The conversion with 'openssl rsa' removes that
>> extra encoding.
>>
>> -Ben
>>
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] private key difference: openssl genrsa vs opnessl req newkey

2017-07-26 Thread Michele Mase' 
Tx.
So, what should be the command line to use in order to obtain the same key?
openssl genrsa 
openssl req -nodes -newkey rsa:2048 some_extra_parameters 
Michele MAsè

On Wed, Jul 26, 2017 at 6:29 PM, Benjamin Kaduk  wrote:

> On 07/26/2017 10:13 AM, Michele Mase' wrote:
>
> During the generation of x509 certificates, both commands give the same
> results:
>
> Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out
> example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT
> Department/CN=example.com
> 
> "
> Command "b": openssl genrsa -out example.key
>
> Both commands give me a private key without password, a key that is not
> encrypted.
> To remove the passphrase from private key, I use the
> Command "c":openssl rsa -in example.key -out example2.key
>
> The command "c" against the example.key generated by command "a", gives
> the same private key with different content between --BEGIN RSA and --END
> RSA. Simply, try the following:
> diff example.key example2.key, the files are different.
>
> The command "c" against example.key generate by the command "b" produces
> the same file. No differences.
>
> Why?
> Perhaps I missed something in openssl manual ... :(
> These differenced gave me troubles using custom certificates in some
> software.
> Any suggestion?
>
>
> The output from openssl req includes an additional layer of encoding and
> the rsaEncryption OID around the actual key parameters, as can be seen
> using openssl asn1parse.  The conversion with 'openssl rsa' removes that
> extra encoding.
>
> -Ben
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] private key difference: openssl genrsa vs opnessl req newkey

2017-07-26 Thread Benjamin Kaduk via openssl-users 
On 07/26/2017 10:13 AM, Michele Mase' wrote:
> During the generation of x509 certificates, both commands give the
> same results:
>
> Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key
> -out example.csr -subj "/C=GB/ST=London/L=London/O=Global
> Security/OU=IT Department/CN=example.com
> "
> Command "b": openssl genrsa -out example.key
>
> Both commands give me a private key without password, a key that is
> not encrypted.
> To remove the passphrase from private key, I use the
> Command "c":openssl rsa -in example.key -out example2.key
>
> The command "c" against the example.key generated by command "a",
> gives the same private key with different content between --BEGIN RSA
> and --END RSA. Simply, try the following:
> diff example.key example2.key, the files are different.
>
> The command "c" against example.key generate by the command "b"
> produces the same file. No differences.
>
> Why?
> Perhaps I missed something in openssl manual ... :(
> These differenced gave me troubles using custom certificates in some
> software.
> Any suggestion?

The output from openssl req includes an additional layer of encoding and
the rsaEncryption OID around the actual key parameters, as can be seen
using openssl asn1parse.  The conversion with 'openssl rsa' removes that
extra encoding.

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] private key difference: openssl genrsa vs opnessl req newkey

2017-07-26 Thread Michele Mase' 
During the generation of x509 certificates, both commands give the same
results:

Command "a": openssl req -nodes -newkey rsa:2048 -keyout example.key -out
example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT
Department/CN=example.com"
Command "b": openssl genrsa -out example.key

Both commands give me a private key without password, a key that is not
encrypted.
To remove the passphrase from private key, I use the
Command "c":openssl rsa -in example.key -out example2.key

The command "c" against the example.key generated by command "a", gives the
same private key with different content between --BEGIN RSA and --END RSA.
Simply, try the following:
diff example.key example2.key, the files are different.

The command "c" against example.key generate by the command "b" produces
the same file. No differences.

Why?
Perhaps I missed something in openssl manual ... :(
These differenced gave me troubles using custom certificates in some
software.
Any suggestion?
Regards
Michele MAsè
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users