info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Openssl generating 1024 bit keys when default_bits is set to 4096 bit
2,029 views
Skip to first unread message
Ralf Skyper Kaiser
Oct 11, 2013, 3:34:59 AM10/11/13
to
Hi,
OpenSSL 1.0.1e 11 Feb 2013
$ grep bits openssl.cnf
default_bits = 4096
=> Note that the default_bits are set to 4096.
$ openssl req -config openssl.cnf -nodes -newkey rsa -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM
Generating a 4096 bit RSA private key
..++++++
...........................++++++
writing new private key to 'testkey.pem'
=> Note that Openssl tells us that it is generating a 4096 bit key.
$ openssl rsa -text <testkey.pem | less | grep Key
Private-Key: (1024 bit)
=> ...but openssl generated a 1024 bit key instead.
(The workaround is to force openssl with -newkey rsa:4096.)
Two concerns:
1. Openssl should create a 4096 bit key if the default setting is 4096 bit.
2. Openssl should not show that a 4096 bit key is generated and then generate something much weaker.
regards,
skyper
OpenSSL 1.0.1e 11 Feb 2013
$ grep bits openssl.cnf
default_bits = 4096
=> Note that the default_bits are set to 4096.
$ openssl req -config openssl.cnf -nodes -newkey rsa -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM
Generating a 4096 bit RSA private key
..++++++
...........................++++++
writing new private key to 'testkey.pem'
=> Note that Openssl tells us that it is generating a 4096 bit key.
$ openssl rsa -text <testkey.pem | less | grep Key
Private-Key: (1024 bit)
=> ...but openssl generated a 1024 bit key instead.
(The workaround is to force openssl with -newkey rsa:4096.)
Two concerns:
1. Openssl should create a 4096 bit key if the default setting is 4096 bit.
2. Openssl should not show that a 4096 bit key is generated and then generate something much weaker.
regards,
skyper
Jan Just Keijser
Oct 11, 2013, 5:11:07 AM10/11/13
to
Hi Ralf,
the output of the command you gave is indeed confusing, but if you use
$ openssl req -config openssl.cnf -nodes -new -keyout testkey.pem
-keyform PEM -out testreq.pem
to generate the key+request the correct value *is* picked up from the
openssl.cnf file.
I don't yet understand why the 'req' command does pick up the setting
from the openssl.cnf file yet it generates the private key using the
default key size.
HTH,
JJK
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
$ openssl req -config openssl.cnf -nodes -new -keyout testkey.pem
-keyform PEM -out testreq.pem
to generate the key+request the correct value *is* picked up from the
openssl.cnf file.
I don't yet understand why the 'req' command does pick up the setting
from the openssl.cnf file yet it generates the private key using the
default key size.
HTH,
JJK
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
0 new messages