RSA Keygen Howto

From Devipedia

Jump to: navigation, search

Contents

Generate a 2048 length RSA private key

openssl genrsa -out test.key 2048

Open the text file and you see something like:

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAtC0GY7QgZAobmb2oGy/f50qxe5LKJa9Om+P9UOSZ6sKQiC9/
N2TFg/xefWKxCvcx1NTl4GVMQQktsmyniEf8SCsrl5u+zEdeFQc2ce0T/GFE/Sow
6FyJoCbHwDEyPD6kS+bswtzD+O9bNiIM4A2TuBireZCWbl/G+kegGmMYS3zLMpJ7
bHLGZzrxRQ4RXjvY9tSWovXGZhn1lYVRLnMQ/PyXO0Sw/bJD/mrHyjP0abZksaMr
8RmEKlom1kxQl09E0m8QMrR61LLnI9lkYUttNdOKOba6s61ywG06/NQ8fal6SG1g
L2SJaPLz7I84260K3VnjA42Z73pDe/YSm6e18wIDAQABAoIBAFgl+w1Gb95hr5Us
25TJfFKNEX3yl+GN/fh4t1MfNEpNfCaUjjnMnHFxQ802PoWt4HxO2FRLWt4qnme/
jss25K9uJ3qZ4OPSOq4xBCsCoReFgxoUzS6xL0fiETHvH7OntfvIc6b2GQ6uE8LN
L91h5xZXQ3VLDr3bL978sdCXEKjFB7hWH79VyAK5Tyc2Xu41sajsKRksuHq0HVJq
ZkHI+Vq+VvTJlJhXbx+dG6HDNNAYHry/gaxPJW5YjAkATbJdpk9mfph+GxDUgbuD
Ltn7sJWAKE2MoQmoqGROjmBxgH8TU/TrFTLJXY46JOeWgTfW5n6XYV35+Eqota0s
jP5U5NkCgYEA4mTaxbuKJjymqAOZrDxzCh/YlIttiVBedPzvQ/lrk9U/CD+lvNbT
c0fRLvZCo07abeew7R3wvxm8horfUvfTYEljsi9Z/qv2psRY8YjrdMwC0beYnOIn
UCRMdEdzX4avI+RFQnYdcOHeEol4Slj9KD5hkLf6kHmjlBr8T+7KAS0CgYEAy7zl
XwSclq1NpnO4MkiPH2Fael9YIMsPBpN2Y3fEnIcZY10e5ApJUmbNoOrBSWnlazNi
fji0bMdePGQUGJzMaKacm/y4jSRnPw4028gCweESEtpN+DXPGFu8N3p+yeje/bU2
epkSlqSDluNMQp9FE6wnLnmRsYY/DYvdiODDx58CgYARylcevrQGeTGndlD3JfDs
VMBSO/qplbU2gEHVF56KiXFglo/RnRgUsQoRJKzr5GBpzpEqsPWgLseP0w3lmS/1
Gw9Ii0wJJT5GsJtEr7vA+98k18aYXXU1aQTRBmRcl1rf+SowJNP/cOBgmIjpXsDW
DsDf/HUmMUjXdJ9rMJqTKQKBgFruSekoo8LUQm3iA/ndTJOS3dD0MN8iAejLc/Fd
CRFbcsdYTms09Bik7W2+mNntO4mm+3SeVlieer61ZArAILMseYVdO/kyoCoSayEU
mbZyf6COcnIvgei7OLwCHgh7uNq/QDtjilpVvq1fcS/i6e+nzCz/8TisVAP1wsBO
oNK9AoGAdwAmyIz+478ZEo5L4APO81vUuFX6i9d29FCxg29WASW6xqvgsKIZxVHk
5jmOP3tjxqtnVDJY56sxmju0o6Pba1V7BYN+J9CTqgTeP1HAsM3Pidy8TxAPa4Ma
svNkStFwUho9ZW0BkOc8cgurktxlMUB8eYKmvrJ0Al2dTJ8gN/k=
-----END RSA PRIVATE KEY-----

Use the -3 option if you want 0x03 expont.

openssl genrsa -3 -out test.key 1152

Get Public Exponent

You can get important key details by running this command:

openssl rsa -in test.key  -text
Private-Key: (2048 bit)
modulus:
    00:b4:2d:06:63:b4:20:64:0a:1b:99:bd:a8:1b:2f:
    df:e7:4a:b1:7b:92:ca:25:af:4e:9b:e3:fd:50:e4:
    99:ea:c2:90:88:2f:7f:37:64:c5:83:fc:5e:7d:62:
    b1:0a:f7:31:d4:d4:e5:e0:65:4c:41:09:2d:b2:6c:
    a7:88:47:fc:48:2b:2b:97:9b:be:cc:47:5e:15:07:
    36:71:ed:13:fc:61:44:fd:2a:30:e8:5c:89:a0:26:
    c7:c0:31:32:3c:3e:a4:4b:e6:ec:c2:dc:c3:f8:ef:
    5b:36:22:0c:e0:0d:93:b8:18:ab:79:90:96:6e:5f:
    c6:fa:47:a0:1a:63:18:4b:7c:cb:32:92:7b:6c:72:
    c6:67:3a:f1:45:0e:11:5e:3b:d8:f6:d4:96:a2:f5:
    c6:66:19:f5:95:85:51:2e:73:10:fc:fc:97:3b:44:
    b0:fd:b2:43:fe:6a:c7:ca:33:f4:69:b6:64:b1:a3:
    2b:f1:19:84:2a:5a:26:d6:4c:50:97:4f:44:d2:6f:
    10:32:b4:7a:d4:b2:e7:23:d9:64:61:4b:6d:35:d3:
    8a:39:b6:ba:b3:ad:72:c0:6d:3a:fc:d4:3c:7d:a9:
    7a:48:6d:60:2f:64:89:68:f2:f3:ec:8f:38:db:ad:
    0a:dd:59:e3:03:8d:99:ef:7a:43:7b:f6:12:9b:a7:
    b5:f3
publicExponent: 65537 (0x10001)
privateExponent:
    58:25:fb:0d:46:6f:de:61:af:95:2c:db:94:c9:7c:
    52:8d:11:7d:f2:97:e1:8d:fd:f8:78:b7:53:1f:34:
    4a:4d:7c:26:94:8e:39:cc:9c:71:71:43:cd:36:3e:
    85:ad:e0:7c:4e:d8:54:4b:5a:de:2a:9e:67:bf:8e:
    cb:36:e4:af:6e:27:7a:99:e0:e3:d2:3a:ae:31:04:
    2b:02:a1:17:85:83:1a:14:cd:2e:b1:2f:47:e2:11:
    31:ef:1f:b3:a7:b5:fb:c8:73:a6:f6:19:0e:ae:13:
    c2:cd:2f:dd:61:e7:16:57:43:75:4b:0e:bd:db:2f:
    de:fc:b1:d0:97:10:a8:c5:07:b8:56:1f:bf:55:c8:
    02:b9:4f:27:36:5e:ee:35:b1:a8:ec:29:19:2c:b8:
    7a:b4:1d:52:6a:66:41:c8:f9:5a:be:56:f4:c9:94:
    98:57:6f:1f:9d:1b:a1:c3:34:d0:18:1e:bc:bf:81:
    ac:4f:25:6e:58:8c:09:00:4d:b2:5d:a6:4f:66:7e:
    98:7e:1b:10:d4:81:bb:83:2e:d9:fb:b0:95:80:28:
    4d:8c:a1:09:a8:a8:64:4e:8e:60:71:80:7f:13:53:
    f4:eb:15:32:c9:5d:8e:3a:24:e7:96:81:37:d6:e6:
    7e:97:61:5d:f9:f8:4a:a8:b5:ad:2c:8c:fe:54:e4:
    d9
prime1:
    00:e2:64:da:c5:bb:8a:26:3c:a6:a8:03:99:ac:3c:
    73:0a:1f:d8:94:8b:6d:89:50:5e:74:fc:ef:43:f9:
    6b:93:d5:3f:08:3f:a5:bc:d6:d3:73:47:d1:2e:f6:
    42:a3:4e:da:6d:e7:b0:ed:1d:f0:bf:19:bc:86:8a:
    df:52:f7:d3:60:49:63:b2:2f:59:fe:ab:f6:a6:c4:
    58:f1:88:eb:74:cc:02:d1:b7:98:9c:e2:27:50:24:
    4c:74:47:73:5f:86:af:23:e4:45:42:76:1d:70:e1:
    de:12:89:78:4a:58:fd:28:3e:61:90:b7:fa:90:79:
    a3:94:1a:fc:4f:ee:ca:01:2d
prime2:
    00:cb:bc:e5:5f:04:9c:96:ad:4d:a6:73:b8:32:48:
    8f:1f:61:5a:7a:5f:58:20:cb:0f:06:93:76:63:77:
    c4:9c:87:19:63:5d:1e:e4:0a:49:52:66:cd:a0:ea:
    c1:49:69:e5:6b:33:62:7e:38:b4:6c:c7:5e:3c:64:
    14:18:9c:cc:68:a6:9c:9b:fc:b8:8d:24:67:3f:0e:
    34:db:c8:02:c1:e1:12:12:da:4d:f8:35:cf:18:5b:
    bc:37:7a:7e:c9:e8:de:fd:b5:36:7a:99:12:96:a4:
    83:96:e3:4c:42:9f:45:13:ac:27:2e:79:91:b1:86:
    3f:0d:8b:dd:88:e0:c3:c7:9f
exponent1:
    11:ca:57:1e:be:b4:06:79:31:a7:76:50:f7:25:f0:
    ec:54:c0:52:3b:fa:a9:95:b5:36:80:41:d5:17:9e:
    8a:89:71:60:96:8f:d1:9d:18:14:b1:0a:11:24:ac:
    eb:e4:60:69:ce:91:2a:b0:f5:a0:2e:c7:8f:d3:0d:
    e5:99:2f:f5:1b:0f:48:8b:4c:09:25:3e:46:b0:9b:
    44:af:bb:c0:fb:df:24:d7:c6:98:5d:75:35:69:04:
    d1:06:64:5c:97:5a:df:f9:2a:30:24:d3:ff:70:e0:
    60:98:88:e9:5e:c0:d6:0e:c0:df:fc:75:26:31:48:
    d7:74:9f:6b:30:9a:93:29
exponent2:
    5a:ee:49:e9:28:a3:c2:d4:42:6d:e2:03:f9:dd:4c:
    93:92:dd:d0:f4:30:df:22:01:e8:cb:73:f1:5d:09:
    11:5b:72:c7:58:4e:6b:34:f4:18:a4:ed:6d:be:98:
    d9:ed:3b:89:a6:fb:74:9e:56:58:9e:7a:be:b5:64:
    0a:c0:20:b3:2c:79:85:5d:3b:f9:32:a0:2a:12:6b:
    21:14:99:b6:72:7f:a0:8e:72:72:2f:81:e8:bb:38:
    bc:02:1e:08:7b:b8:da:bf:40:3b:63:8a:5a:55:be:
    ad:5f:71:2f:e2:e9:ef:a7:cc:2c:ff:f1:38:ac:54:
    03:f5:c2:c0:4e:a0:d2:bd
coefficient:
    77:00:26:c8:8c:fe:e3:bf:19:12:8e:4b:e0:03:ce:
    f3:5b:d4:b8:55:fa:8b:d7:76:f4:50:b1:83:6f:56:
    01:25:ba:c6:ab:e0:b0:a2:19:c5:51:e4:e6:39:8e:
    3f:7b:63:c6:ab:67:54:32:58:e7:ab:31:9a:3b:b4:
    a3:a3:db:6b:55:7b:05:83:7e:27:d0:93:aa:04:de:
    3f:51:c0:b0:cd:cf:89:dc:bc:4f:10:0f:6b:83:1a:
    b2:f3:64:4a:d1:70:52:1a:3d:65:6d:01:90:e7:3c:
    72:0b:ab:92:dc:65:31:40:7c:79:82:a6:be:b2:74:
    02:5d:9d:4c:9f:20:37:f9


Be aware the the modulus may be zero padded. Double check using this command.


dvenable@dvenable:~/temp/taketwo$ openssl rsa -modulus -in test.key 
Modulus=C63B624A4AACD8556182C25F515F61B8DC2DC014B980EDF58313184D0D15C180D4E3DE31A76BBDFDBD5261ABCE55A479913A066A79F2F4F30665C5144AC3106248D7504C09ECFE09478ABB9EC0F446409D1B853E4EE9FF71647087921CF20FC3D2DB744DE66144350C157FC37C813F51DE07A91C51CDF205874C57CDE8DF8646B6C50FEBCC0EE1587A51F3CB4D573309

Create a certificate signing request

This is the process for creating a certificate signing request for a CA.

dvenable@dvenable:~/key/test2$ openssl req -new -key test.key  -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:OK
Locality Name (eg, city) []:Tulsa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GTP
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, YOUR name) []:Devin
Email Address []:dvenable@******.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:    

The Certificate Request contains the information provided plus the public key, which was extracted from the private key parameter passed to the req.

-----BEGIN CERTIFICATE REQUEST-----
MIIC2DCCAcACAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk9LMQ4wDAYDVQQH
EwVUdWxzYTEMMAoGA1UEChMDR1RQMQwwCgYDVQQLFANSJkQxDjAMBgNVBAMTBURl
dmluMSYwJAYJKoZIhvcNAQkBFhdkdmVuYWJsZUBndHBsaW1pdGVkLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALQtBmO0IGQKG5m9qBsv3+dKsXuS
yiWvTpvj/VDkmerCkIgvfzdkxYP8Xn1isQr3MdTU5eBlTEEJLbJsp4hH/EgrK5eb
vsxHXhUHNnHtE/xhRP0qMOhciaAmx8AxMjw+pEvm7MLcw/jvWzYiDOANk7gYq3mQ
lm5fxvpHoBpjGEt8yzKSe2xyxmc68UUOEV472PbUlqL1xmYZ9ZWFUS5zEPz8lztE
sP2yQ/5qx8oz9Gm2ZLGjK/EZhCpaJtZMUJdPRNJvEDK0etSy5yPZZGFLbTXTijm2
urOtcsBtOvzUPH2pekhtYC9kiWjy8+yPONutCt1Z4wONme96Q3v2EpuntfMCAwEA
AaAVMBMGCSqGSIb3DQEJBzEGEwR0ZXN0MA0GCSqGSIb3DQEBBQUAA4IBAQAIk8WZ
bpyBvS4kGnx2Rk29YyHi+gjI1wltmJ0Hnc/LnxYZZ7Ik4C31EgV0Skd1Lvu+UPwL
oeNJmA79YYjtAJuPcUlUlGcXK6oO5gyEDWz3xZoADFE8Hxout8s3tntHBYEPb0l/
1UzhZw6x0QPw1DcQw/HoORUP25sswJim5nHbXyv2hal42UG5v6tBkwJKLDjP/ELA
sXdtK5rhdsr76fXkTsjw/vdhRu+1o6Hv0eQvWXXsF8XRuEf7U7QjJc269hmHLYtF
Cxq48TWcOA/4Rx31Cwapd9bAg52HYGIS9N/UMt8P5614sHVeeVFl80u63Mq3Yhc8
Is14TFWzw/tXZuzp
-----END CERTIFICATE REQUEST-----

Extract public key from private key

To simply extract the public key from the private key, use this command:

dvenable@dvenable:~/key/test2$ openssl rsa -in test.key -pubout > test.pub


-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtC0GY7QgZAobmb2oGy/f
50qxe5LKJa9Om+P9UOSZ6sKQiC9/N2TFg/xefWKxCvcx1NTl4GVMQQktsmyniEf8
SCsrl5u+zEdeFQc2ce0T/GFE/Sow6FyJoCbHwDEyPD6kS+bswtzD+O9bNiIM4A2T
uBireZCWbl/G+kegGmMYS3zLMpJ7bHLGZzrxRQ4RXjvY9tSWovXGZhn1lYVRLnMQ
/PyXO0Sw/bJD/mrHyjP0abZksaMr8RmEKlom1kxQl09E0m8QMrR61LLnI9lkYUtt
NdOKOba6s61ywG06/NQ8fal6SG1gL2SJaPLz7I84260K3VnjA42Z73pDe/YSm6e1
8wIDAQAB
-----END PUBLIC KEY-----

SHA1 digest

dvenable@dvenable:~/key/test2$ openssl dgst -sha1 test.pub 
SHA1(test.pub)= 128eb4ec2992a6e4b09655029c7c0cacc19fdaf3

Other tools which may be used to generate RSA key pairs

  • keytool
    • This utility ships with JAVA. A bit higher-level, but lacks many featurs of openssl. There are also some reported compatibility problems between versions.
  • ssh-keygen

Sign and verify a chunk of data with RSA key

First I create a file containing this data. Note that I have a private key called mykey.pem and a public key called mykey.pub.

01 TEST 02 STUFF

I save it as datatosign.txt.

Next I use my private key to sign it. I save the output to signeddata.txt.

openssl rsautl -sign -inkey mykey.pem -in datatosign.txt -out signeddata.txt

If I examine the file signeddata.txt, I'll find a bunch of unreadable binary characters.

Another way to sign it and output hex is listed here:

dvenable@dvenable:~/temp/openssl/testing$ openssl dgst -hex -sha1 -sign mykey.pem datatosign.txt 
SHA1(datatosign.txt)= 8fa2b6e01dc3cf498a605eea54b7d3fba2ddaaf06d57cb21e5afcf8b8235bf9917d29e08240769440b0d5186120091a7b25e48f3874705722174c320148b224c267fb89e17493ebfdcae5a79521747eda6ddc6448ddc03002775eade263fa060dc424853120568dec8259e903561defdbba766f9519a28fb85438f3006047c94

I can verify the signature using the same private key.

dvenable@dvenable:~/temp/openssl/testing$ openssl rsautl -verify -inkey mykey.pem -in signeddata.txt 
01 TEST 02 STUFF

Of course a third-party isn't going to have our private key, just our public key. So they verify the signature like so:

dvenable@dvenable:~/temp/openssl/testing$ openssl rsautl -pubin -inkey mykey.pub -verify -in signeddata.txt 
01 TEST 02 STUFF

But what about the dgst option? Here we go...

dvenable@dvenable:~/temp/openssl/testing$ openssl dgst -sha1 -verify mykey.pub -signature hexsigned.txt signeddata.txt 
Verification Failure

#hmmm, that did not work as expected.  Here I used dgst without the hex option initially...

dvenable@dvenable:~/temp/openssl/testing$ openssl dgst -sha1 -sign mykey.pem -out signeddata.txt.sha1 signeddata.txt 

(tail signeddata.txt.sha1 produces binary stuff)

dvenable@dvenable:~/temp/openssl/testing$ openssl dgst -sha1 -verify mykey.pub -signature signeddata.txt.sha1 signeddata.txt
Verified OK

One more time with HEX option...

dvenable@dvenable:~/temp/openssl/testing$ openssl dgst -hex -sha1 -sign mykey.pem -out signeddata.txt.sha1 signeddata.txt 
dvenable@dvenable:~/temp/openssl/testing$ tail signeddata.txt.sha1 
SHA1(signeddata.txt)= 6187d27466d8058016ab102f2930fe8b56499f2db5d7c95f1a5918dcb1b50404941d075aec927a3d0389403564be0bb45c30f7db8b9c0c2e948991ce3e6c0f1ef190fdd76574652c742afb5ae8c2a3b0bb229f10d70678dbb5718acf3f2d85bb10f69a7769530fb944b519c66ab00e8f481af943f7d89f136421b8a87dd5325d
dvenable@dvenable:~/temp/openssl/testing$ openssl dgst -hex -sha1 -verify mykey.pub -signature signeddata.txt.sha1 signeddata.txt
Verification Failure

Still need a bit of research to use with hex option...


Encrypt/Decrypt examples

Encrypt with public key and decrypt with private

openssl enc -des-ede3-cbc -in test.txt -out test.enc3.txt -kfile test.pub 
openssl enc -des-ede3-cbc -d -in test.enc  -kfile test.pub
Personal tools