Notes on RSA Key Production
To make a 2048-bit RSA key in whatever.key
:
cd /etc/httpd/conf/ssl.key openssl genrsa -out whatever.key 2048
This produces an output file that is a PEM-encoded PKCS#1 private key (an ASN.1 RSAPrivateKey structure). It is not encrypted in any way, which would be bad if you thought the file might be vulnerable.
If you want to look at the components that have been generated:
openssl rsa -in whatever.key -noout -text
Make a certificate signing request for this:
openssl req -new -key whatever.key -out whatever.csr
Make a temporary self-signed key while you wait for the response to the CSR:
openssl x509 -req -days 30 -in whatever.csr -signkey whatever.key -out whatever.crt
You can make a key on-the-fly while creating the CSR:
openssl req -new -x509 -keyout whatever.key -out whatever.csr
In this case, you'll get a PEM-encoded key file with extra lines inside the header indicating an encryption cipher suite. The key file is by default 3DES encoded with a password that is requested during the creation process.
You can decrypt key in this format like this:
openssl rsa -in sekrit.pem -out clear.pem
This prompts for an (input) password.
To encrypt an unprotected key:
openssl rsa -in clear.pem -out sekrit.pem -des3
This prompts for an (output) password.
To take an unprotected key and convert it into an unencrypted PKCS#8 file:
openssl pkcs8 -topk8 -in clear.pem -out pk8.pem -nocrypt
To take an unprotected key and convert it into an encrypted PKCS#8 file:
openssl pkcs8 -topk8 -in clear.pem -out pk8.pem
In PKCS#8 files, the encryption suite used is named inside the ASN.1 structure, rather than in the textual wrapping. This is the kind of file you need if you want to be able to import keys into a Java keystore using extkeytool
.