Create A 2048-bit Key Via OpenSSL

We are fast approaching the date where NIST has recommended that end entities stop utilizing 1024-bit private keys. OpenSSL, however, currently defaults to creating 1024-bit keypairs. To create a 2048-bit private key and corresponding CSR (which you can send to a certificate authority to obtain your SSL certificate):

openssl req -new -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr

This command will make a 2048-bit key, run the interactive prompt to populate the fields of the certificate signing request, and leave the private key unencrypted (-nodes). You can remove -nodes if you wish, but encrypting the private key will require you to type the password every time you start an application (like apache) that uses it.

openssl

Print article

This entry was posted by Paul Kehrer on October 31, 2009 at 11:32 am, and is filed under Posts. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (0)

No comments yet.

No trackbacks yet.

Parsing A CRL With OpenSSL

about 1 month ago - No comments

Short and sweet. This command will give you a list of revoked serial numbers:

openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. More >

OpenSSL and IDN Certificates

about 2 months ago - No comments

As internationalized domain names (IDN) proliferate more people need to test with, and ultimately purchase, IDN certificates. If you need to generate a CSR or even a self-signed certificate for an internationalized domain follow these steps:

Take the UTF-8 characters and paste them into a punycode converter (also known as ASCII compatible encoding, or ACE).
The More >

Find A Matching Certificate And Key Pair

about 4 months ago - No comments

If you have a list of keys and SSL certs and don’t know which cert belongs with which key, here’s a script for you. It’s not efficient (nested for loop!), but it gets the job done quickly.1

#!/bin/bash
for i in `ls *.key`
do
key_mod=`openssl rsa -noout -in $i -modulus`
for j in `ls *.cer`
do
x509_mod=`openssl x509 -noout -in More >

Check If A Certificate & Private Key Match

about 5 months ago - 1 comment

Check if an SSL certificate and private key match in two simple commands. The OpenSSL commands below will require you to replace <file> with your file’s name.
For your SSL certificate:1

openssl x509 -noout -modulus -in <file> | md5sum

For your RSA private key:

openssl rsa -noout -modulus -in <file> | md5sum

The output of these commands should be More >

Using OpenSSL s_time

about 11 months ago - No comments

Recently I needed to do some performance testing of an SSL instance on a VM. I considered using JMeter, but decided to use OpenSSL to get a rudimentary picture instead.
To obtain a basic result, we connect to the server and pull the /index.php file. You can specify whatever file you’d like to download, More >

RSA Encryption and Signing

about 11 months ago - 1 comment

OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or More >

Creating a PKCS7 (P7B) Using OpenSSL

about 11 months ago - No comments

Continuing the howto nature of this blog (and its peculiar obsession with OpenSSL), here’s a primer on packaging an arbitrary number of certificates into a single PKCS7 container. These files are quite useful for installing multiple certificates on Windows servers. They differ from PKCS12 (PFX) files in that they can’t store private keys. More >

Checking A Remote Certificate Chain With OpenSSL

about 12 months ago - 1 comment

If you deal with SSL/TLS long enough you will run into situations where you need to examine what certificates are being presented by a server to the client. The best way to examine the raw output is via (what else but) OpenSSL.1
First let’s do a standard webserver connection (-showcerts dumps the PEM encoded certificates More >

Re-Signing An Expired CA Certificate

about 1 year ago - No comments

On rare occasions you may find yourself with a self-signed internal CA that has expired while you are still using certificates issued from the CA. One potential solution to this problem is to self-sign a new cert with identical fields using the private key from the old certificate.1
You can fill in almost all the More >

OpenSSL SAN/UCC Certificate Generation

about 1 year ago - 1 comment

Signing a CSR containing subjectAltName (SAN/UCC) extensions isn’t hard, but can be a daunting challenge for the OpenSSL neophyte. We’re going to use the OpenSSL Self-Signed CA to accomplish this task in two ways.
Pre-Existing SAN CSR
Either you already have a SAN CSR from another source or you generated one using the tutorial from yesterday. More >