Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Maximum size of a x509 certificate file

12,930 views
Skip to first unread message

Satish Chandra Kilaru

unread,
Jun 17, 2009, 4:01:05 PM6/17/09
to
HI All

Is there be an upper limit on the size of a x509 certificate file in
PEM format? Suppose that I am using 4096 bit key.
Is there a way to calculate such length.

Similarly is there an upper limit on the size of PEM format private
key file? I am using 4096bit key.

Thank you
--Satish
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Kyle Hamilton

unread,
Jun 17, 2009, 5:38:33 PM6/17/09
to
There is no upper limit on the size of an x.509 certificate file in
DER. PEM takes DER and increases its size by 4/3. So no, there is no
upper limit on the size of a PEM format certificate.

Your private key is 4096 bits, or 512 bytes. OpenSSL stores private
keys with their public counterparts (another 512 bytes), padding (1
byte for each part of it), exponent (usually 3 bytes), and the tag
required to identify it as a PrivateKeyInfo structure (about another 6
bytes all told, though I might be off on my count). So, that's about
1.1k. PEM takes this and increases its size by 4/3, which means that
it'll be about 1380 encoded bytes. Add the '-----BEGIN PRIVATE
KEY-----' and '-----END PRIVATE KEY-----', and that's another 50
bytes, for a total of 1420 bytes. (If it's an encrypted private key,
it'll be a bit bigger.) There is no upper bound per se, but a file
containing a private key shouldn't be larger than about 2048 bytes if
it uses any (currently-)reasonable keysize.

That said, going through the motions with a 16384-byte key yields
about 4104 bytes, which in PEM would be about 5522 bytes (again,
larger if it's encrypted). (I'm verifying these figures right now; I
figure it'll take about as long to generate a 16384-bit key today on
my Core2 Duo 2.16GHz as it did to generate a 1024-bit PGP key on a
386DX 20MHz in 1995.)

-Kyle H

On Wed, Jun 17, 2009 at 1:00 PM, Satish Chandra
Kilaru<iam.k...@gmail.com> wrote:
> HI All
>
> Is there be an upper limit on the size of a x509 certificate file in
> PEM format? Suppose that I am using 4096 bit key.
> Is there a way to calculate such length.
>
> Similarly is there an upper limit on the size of PEM format private
> key file? I am using 4096bit key.
>
> Thank you
> --Satish
> ______________________________________________________________________

> OpenSSL Project =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.openssl.=
org
> User Support Mailing List =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0opens...@openssl.org
> Automated List Manager =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 majo...@openssl.org

Satish Chandra Kilaru

unread,
Jun 17, 2009, 6:00:45 PM6/17/09
to
Thank you. I was thinking the same. I thought a 5K buffer should be
enough to store a 4K bit key in PEM format.

I am curious to know how long it took for you to generate 16Kbit key.

--Satish

On Wed, Jun 17, 2009 at 5:37 PM, Kyle Hamilton<aero...@gmail.com> wrote:
> There is no upper limit on the size of an x.509 certificate file in

> DER. =A0PEM takes DER and increases its size by 4/3. =A0So no, there is n=


o
> upper limit on the size of a PEM format certificate.
>

> Your private key is 4096 bits, or 512 bytes. =A0OpenSSL stores private


> keys with their public counterparts (another 512 bytes), padding (1
> byte for each part of it), exponent (usually 3 bytes), and the tag
> required to identify it as a PrivateKeyInfo structure (about another 6

> bytes all told, though I might be off on my count). =A0So, that's about
> 1.1k. =A0PEM takes this and increases its size by 4/3, which means that
> it'll be about 1380 encoded bytes. =A0Add the '-----BEGIN PRIVATE


> KEY-----' and '-----END PRIVATE KEY-----', and that's another 50

> bytes, for a total of 1420 bytes. =A0(If it's an encrypted private key,
> it'll be a bit bigger.) =A0There is no upper bound per se, but a file


> containing a private key shouldn't be larger than about 2048 bytes if
> it uses any (currently-)reasonable keysize.
>
> That said, going through the motions with a 16384-byte key yields
> about 4104 bytes, which in PEM would be about 5522 bytes (again,

> larger if it's encrypted). =A0(I'm verifying these figures right now; I


> figure it'll take about as long to generate a 16384-bit key today on
> my Core2 Duo 2.16GHz as it did to generate a 1024-bit PGP key on a
> 386DX 20MHz in 1995.)
>
> -Kyle H
>
> On Wed, Jun 17, 2009 at 1:00 PM, Satish Chandra
> Kilaru<iam.k...@gmail.com> wrote:
>> HI All
>>
>> Is there be an upper limit on the size of a x509 certificate file in
>> PEM format? Suppose that I am using 4096 bit key.
>> Is there a way to calculate such length.
>>
>> Similarly is there an upper limit on the size of PEM format private
>> key file? I am using 4096bit key.
>>
>> Thank you
>> --Satish
>> ______________________________________________________________________

>> OpenSSL Project =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 http://www.openssl.org
>> User Support Mailing List =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0openssl=
-us...@openssl.org
>> Automated List Manager =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 majo...@openssl.org
>>
> ______________________________________________________________________
> OpenSSL Project =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 http://www.openssl.org
> User Support Mailing List =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0openssl-=
us...@openssl.org
> Automated List Manager =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =

Kyle Hamilton

unread,
Jun 17, 2009, 8:27:04 PM6/17/09
to
2.5 hours. And the file size ended up (just the private key, in PEM
format) 12603 bytes.

-Kyle H

On Wed, Jun 17, 2009 at 3:00 PM, Satish Chandra
Kilaru<iam.k...@gmail.com> wrote:
> Thank you. I was thinking the same. I thought a 5K buffer should be
> enough to store a 4K bit key in PEM format.
>
> I am curious to know how long it took for you to generate 16Kbit key.
>
> --Satish
>
> On Wed, Jun 17, 2009 at 5:37 PM, Kyle Hamilton<aero...@gmail.com> wrote:
>> There is no upper limit on the size of an x.509 certificate file in

>> DER. =C2=A0PEM takes DER and increases its size by 4/3. =C2=A0So no, the=
re is no


>> upper limit on the size of a PEM format certificate.
>>

>> Your private key is 4096 bits, or 512 bytes. =C2=A0OpenSSL stores privat=


e
>> keys with their public counterparts (another 512 bytes), padding (1
>> byte for each part of it), exponent (usually 3 bytes), and the tag
>> required to identify it as a PrivateKeyInfo structure (about another 6

>> bytes all told, though I might be off on my count). =C2=A0So, that's abo=
ut
>> 1.1k. =C2=A0PEM takes this and increases its size by 4/3, which means th=
at
>> it'll be about 1380 encoded bytes. =C2=A0Add the '-----BEGIN PRIVATE


>> KEY-----' and '-----END PRIVATE KEY-----', and that's another 50

>> bytes, for a total of 1420 bytes. =C2=A0(If it's an encrypted private ke=
y,
>> it'll be a bit bigger.) =C2=A0There is no upper bound per se, but a file


>> containing a private key shouldn't be larger than about 2048 bytes if
>> it uses any (currently-)reasonable keysize.
>>
>> That said, going through the motions with a 16384-byte key yields
>> about 4104 bytes, which in PEM would be about 5522 bytes (again,

>> larger if it's encrypted). =C2=A0(I'm verifying these figures right now;=


I
>> figure it'll take about as long to generate a 16384-bit key today on
>> my Core2 Duo 2.16GHz as it did to generate a 1024-bit PGP key on a
>> 386DX 20MHz in 1995.)
>>
>> -Kyle H
>>
>> On Wed, Jun 17, 2009 at 1:00 PM, Satish Chandra
>> Kilaru<iam.k...@gmail.com> wrote:
>>> HI All
>>>
>>> Is there be an upper limit on the size of a x509 certificate file in
>>> PEM format? Suppose that I am using 4096 bit key.
>>> Is there a way to calculate such length.
>>>
>>> Similarly is there an upper limit on the size of PEM format private
>>> key file? I am using 4096bit key.
>>>
>>> Thank you
>>> --Satish
>>> ______________________________________________________________________

>>> OpenSSL Project =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.openssl=
.org


>>> User Support Mailing List =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0opens...@openssl.org
>>> Automated List Manager =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 majo...@openssl.org
>>>
>> ______________________________________________________________________
>> OpenSSL Project =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.openssl.=
org
>> User Support Mailing List =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0opens...@openssl.org
>> Automated List Manager =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 majo...@openssl.org
>>
> ______________________________________________________________________
> OpenSSL Project =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.openssl.=
org
> User Support Mailing List =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0opens...@openssl.org
> Automated List Manager =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 majo...@openssl.org

0 new messages