OpenSSL – Difference Between ‘genpkey -algorithm RSA’ and ‘genrsa’

openssl

What is difference between below two commands?
1. openssl genpkey -algorithm RSA
2. openssl genrsa

In document difference is "Private Key" and "RSA Private Key".

Then..
What is diference between "Private Key with algorithm RSA" and "RSA Private Key"?

Best Answer

The genpkey command can create other types of private keys - DSA, DH, EC and maybe GOST - whereas the genrsa, as it's name implies, only generates RSA keys. There are equivalent gendh and gendsa commands.

However, the OpenSSL documentation states that these gen* commands have been superseded by the generic genpkey command.

In the case of your examples, both generate RSA private keys.

openssl genrsa -out genrsa.key 2048

and

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out genpkey.key

will generate a 2048 bit RSA key with the exponent set to 65537.

Simply cat the resulting files to see that they are both PEM format private keys; although openssl rsa encloses them in BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY while openssl genpkey omits the RSA. The former is PKCS#1 format, while the latter is PKCS#8.

Running openssl rsa text -in <filename> against both shows that they are RSA private keys with the same publicExponent. The newer genpkey command has the option to change this using -pkeyopt rsa_keygen_pubexp:value while the genrsa command doesn't have this option.

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

GnuPG consumes several bytes from /dev/random for each random byte it actually uses. You can easily check that with this command:

start cmd:> strace -e trace=open,read gpg --armor --gen-random 2 16 2>&1 | tail
open("/etc/gcrypt/rngseed", O_RDONLY)   = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\\\224F\33p\314j\235\7\200F9\306V\3108", 16) = 16
open("/dev/random", O_RDONLY)           = 4
read(4, "/\311\342\377...265\213I"..., 300) = 128
read(4, "\325\3\2161+1...302@\202"..., 172) = 128
read(4, "\5[\372l\16?\...6iY\363z"..., 44) = 44
open("/home/hl/.gnupg/random_seed", O_WRONLY|O_CREAT, 0600) = 5
cCVg2XuvdjzYiV0RE1uzGQ==
+++ exited with 0 +++

In order to output 16 bytes of high-quality entropy GnuPG reads 300 bytes from /dev/random.

This is explained here: Random-Number Subsystem Architecture

Linux stores a maximum of 4096 bytes (see cat /proc/sys/kernel/random/poolsize) of entropy. If a process needs more than available (see cat /proc/sys/kernel/random/entropy_avail) then the CPU usage becomes more or less irrelevant as the feeding speed of the kernel's entropy pool becomes the relevant factor.

OpenSSL, basic configuration, new_certs_dir, certs

As shown in the documentation

https://www.openssl.org/docs/man1.1.0/apps/ca.html

new_certs_dir is used by the CA to output newly generated certs.

certs is not used here. However its referenced in the demoCA: "./demoCA/certs - certificate output file" Certs is ALSO not used for certificate chains as shown here:

https://www.openssl.org/docs/man1.1.0/apps/pkcs12.html or https://www.openssl.org/docs/man1.1.0/apps/verify.html

Note that /etc/ssl/certs is the default location for issued certs. But the certs variable is $dir/certs so it would be ./demoCA/certs I think we all agree its for issued certs specific to the CA. This makes sense because the CA might be signing certs that are chained to certs not yet issued by any public cert authority.

But where is the documentation for this? I believe its an artifact of the configuration file. It use to be used for options like certificate which would hold the ca.pem within certs so certificate=$certs/ca.pem.

I vaguely recall having this exact same question until I realized it was used later in the config file but now its not.

Edit: It gets weirder. The current version of ca.c here: https://github.com/openssl/openssl/blob/master/apps/ca.c does not reference certs. But much older versions such as this: https://github.com/openssl/openssl/blob/d02b48c63a58ea4367a0e905979f140b7d090f86/apps/ca.c Reference it but do nothing with it.

Best Answer

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

OpenSSL, basic configuration, new_certs_dir, certs

Related Question