RSA Encryption and Signing

OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or RC4, et cetera) key to do symmetric encryption thereafter.¹

Generate a private key. You can change the last number to the preferred modulus size. Keys greater than 4096-bit will take a long time to generate.²

openssl genrsa -out private.pem 4096

With the private key we can now encrypt the data.

openssl rsautl -encrypt -inkey private.pem -in publicfile -out privatefile

To decrypt just reverse it.

openssl rsautl -decrypt -inkey private.pem -in privatefile -out publicfile

If you would rather sign the data…

openssl rsautl -sign -inkey private.pem -in filetosign -out signed_data

To verify the signature just use -verify.³

openssl rsautl -verify -inkey private.pem -in signed_data

Another big reason is speed. AES is much, much faster than RSA. ↩
If you attempt to encrypt or sign data larger than your key length allows, you will receive an error similar to this: 23465:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151: ↩
You can also use -hexdump or -raw to view the data in those forms. ↩

aes, crypto, openssl, rsa, ssl

Print article

This entry was posted by Paul Kehrer on March 21, 2009 at 11:02 pm, and is filed under Posts. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (1)

#1 written by Uncle Dan
about 11 months ago

Hey Paul; bet you never figured your old Uncle Dan would land on your blog…then again, you probably didn’t know I now have a blog myself (whatworksforbusiness.com). Uses wordpress; self-hosted. The right column widgets on mine are boring and I’m trying to figure out how to make it look better. btw, we launched a new homepage yesterday at Business.com; check it out

No trackbacks yet.

SNI Support in Chromium OS X

about 1 week ago - No comments

As of r39934 Chromium now supports the server_name TLS extension (server name indication) in OS X (latest build). This support requires OS X 10.5.7 or later. Hopefully it’ll make its way into a dev/beta/stable release of Google Chrome itself soon.
For those who are more curious than they ought to be about how I More >

Parsing A CRL With OpenSSL

about 1 month ago - No comments

Short and sweet. This command will give you a list of revoked serial numbers:

openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. More >

OpenSSL and IDN Certificates

about 2 months ago - No comments

As internationalized domain names (IDN) proliferate more people need to test with, and ultimately purchase, IDN certificates. If you need to generate a CSR or even a self-signed certificate for an internationalized domain follow these steps:

Take the UTF-8 characters and paste them into a punycode converter (also known as ASCII compatible encoding, or ACE).
The More >

Find A Matching Certificate And Key Pair

about 4 months ago - No comments

If you have a list of keys and SSL certs and don’t know which cert belongs with which key, here’s a script for you. It’s not efficient (nested for loop!), but it gets the job done quickly.1

#!/bin/bash
for i in `ls *.key`
do
key_mod=`openssl rsa -noout -in $i -modulus`
for j in `ls *.cer`
do
x509_mod=`openssl x509 -noout -in More >

SSL VHosting On The Same IP (aka SNI)

about 4 months ago - 2 comments

Server Name Indication (SNI), an extension to TLS, allows browsers that support it to connect to SSL hosts that do not have dedicated IPs (much like standard http virtual hosting has worked for years). This extension, however, must be supported on both the server and client side. Microsoft has not yet chosen to More >

Create A 2048-bit Key Via OpenSSL

about 4 months ago - No comments

We are fast approaching the date where NIST has recommended that end entities stop utilizing 1024-bit private keys. OpenSSL, however, currently defaults to creating 1024-bit keypairs. To create a 2048-bit private key and corresponding CSR (which you can send to a certificate authority to obtain your SSL certificate):

openssl req -new -nodes -newkey rsa:2048 -keyout More >

Check If A Certificate & Private Key Match

about 5 months ago - 1 comment

Check if an SSL certificate and private key match in two simple commands. The OpenSSL commands below will require you to replace <file> with your file’s name.
For your SSL certificate:1

openssl x509 -noout -modulus -in <file> | md5sum

For your RSA private key:

openssl rsa -noout -modulus -in <file> | md5sum

The output of these commands should be More >

Firefox Autoenrollment With A Microsoft CA

about 11 months ago - No comments

If you’re running a Microsoft CA and you want to be able to accept enrollment requests from clients supporting keygen (Firefox, Safari, Opera, et cetera) you’ve probably found that the /certsrv/ page allows enrollment, but the requests fail when you attempt to issue the certificate. This is because the server is not parsing the subject More >

Using OpenSSL s_time

about 11 months ago - No comments

Recently I needed to do some performance testing of an SSL instance on a VM. I considered using JMeter, but decided to use OpenSSL to get a rudimentary picture instead.
To obtain a basic result, we connect to the server and pull the /index.php file. You can specify whatever file you’d like to download, More >

Creating a PKCS7 (P7B) Using OpenSSL

about 11 months ago - No comments

Continuing the howto nature of this blog (and its peculiar obsession with OpenSSL), here’s a primer on packaging an arbitrary number of certificates into a single PKCS7 container. These files are quite useful for installing multiple certificates on Windows servers. They differ from PKCS12 (PFX) files in that they can’t store private keys. More >

RSA Encryption and Signing

No trackbacks yet.

SNI Support in Chromium OS X

Parsing A CRL With OpenSSL

OpenSSL and IDN Certificates

Find A Matching Certificate And Key Pair

SSL VHosting On The Same IP (aka SNI)

Create A 2048-bit Key Via OpenSSL

Check If A Certificate & Private Key Match

Firefox Autoenrollment With A Microsoft CA

Using OpenSSL s_time

Creating a PKCS7 (P7B) Using OpenSSL

Fidgetr – Favorites

Fidgetr – Latest

Archives