Openssl generating 1024 bit keys when default_bits is set to 4096 bit

Showing 1-2 of 2 messages
Openssl generating 1024 bit keys when default_bits is set to 4096 bit Ralf Skyper Kaiser 10/11/13 12:34 AM
Hi,

OpenSSL 1.0.1e 11 Feb 2013

$ grep bits openssl.cnf
default_bits            = 4096

=> Note that the default_bits are set to 4096.

$ openssl req -config openssl.cnf -nodes -newkey rsa -keyout testkey.pem  -keyform PEM -out testreq.pem -outform PEM
Generating a 4096 bit RSA private key
..++++++
...........................++++++
writing new private key to 'testkey.pem'

=> Note that Openssl tells us that it is generating a 4096 bit key.


$ openssl rsa -text <testkey.pem  | less | grep Key
Private-Key: (1024 bit)

=> ...but openssl generated a 1024 bit key instead.


(The workaround is to force openssl with -newkey rsa:4096.)

Two concerns:
1. Openssl should create a 4096 bit key if the default setting is 4096 bit.
2. Openssl should not show that a 4096 bit key is generated and then generate something much weaker.

regards,

skyper
Re: Openssl generating 1024 bit keys when default_bits is set to 4096 bit Jan Just Keijser 10/11/13 2:11 AM
Hi Ralf,
the output of the command you gave is indeed confusing, but if you use

  $ openssl req -config openssl.cnf -nodes -new -keyout testkey.pem  
-keyform PEM -out testreq.pem

to generate the key+request the correct value *is* picked up from the
openssl.cnf file.

I don't yet understand why the 'req' command does pick up the setting
from the openssl.cnf file yet it generates the private key using the
default key size.

HTH,

JJK

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       opens...@openssl.org
Automated List Manager                           majo...@openssl.org