1.1. Manage RSA Keys
该文章根据 CC-BY-4.0 协议发表,转载请遵循该协议。
本文地址:https://fenying.net/en/book/pki-tutorials/1.1.manage-rsa-keys/
This chapter introduces how to generate, convert, encode, encrypt, decrypt RSA keys using OpenSSL command-line tools.
Generate RSA Private Key
Usually, the genrsa subcommand of OpenSSL is used to generate RSA private keys.
For example, to generate an RSA private key file named rsa-p1-raw.pem, the configuration is as follows:
| Property | Value |
|---|---|
| Bits | 2048 |
| Cipher | AES-256-CFG |
| Standard | PKCS#1 |
| Encoding | PEM |
1openssl genrsa -aes-256-cfb -out ./rsa-p1.pem 2048
If no encryption algorithm flag is passed (such as
-aes-256-cfb), a raw private key without encryption protection will be generated.
Common Parameters
-outform
Specifies the output file format, which can be either PEM or DER.
-rand
Specifies the path to the random seed file used to generate random numbers.
Standard Conversion
PKCS#1 -> PKCS#8
1openssl pkcs8 \
2 -topk8 \
3 -inform PEM \
4 -outform PEM \
5 -in rsa-p1.pem \
6 -out rsa-p8.pem
By default, the
-v2 aes256parameter is used for encryption. If the converted key does not need encryption protection, add-nocrypt, for example:1openssl pkcs8 \ 2 -topk8 \ 3 -inform PEM \ 4 -outform PEM \ 5 -nocrypt \ 6 -in rsa-p1.pem \ 7 -out rsa-p8-raw.pem
PKCS#8 -> PKCS#1
1openssl rsa \
2 -aes-256-cfb \
3 -in rsa-p8.pem \
4 -out rsa-p1.pem
If the converted key does not need encryption protection, remove the encryption algorithm flag
-aes-256-cfb, such as:1openssl rsa \ 2 -in rsa-p8.pem \ 3 -out rsa-p1-raw.pem
By default, both input and output encodings are
PEM. If the input is DER, please specify-inform DER. If you need to output DER, please specify-outform DER.
Encoding Conversion
PKCS#1: PEM <=> DER
e.g. PEM -> DER, vice versa
1openssl rsa \
2 -inform PEM \
3 -outform DER \
4 -in rsa-p1-raw.pem \
5 -out rsa-p1-raw.der
PKCS#8: PEM <=> DER
The support for PKCS#8 DER encoding in OpenSSL is incomplete. Please do not use it.
Encryption and Decryption
Encrypt PKCS#1 Private Key
1openssl rsa \
2 -inform PEM \
3 -aes-256-cfb \
4 -in rsa-p1-raw.pem \
5 -out rsa-p1.pem
Decrypt PKCS#1 Private Key
1openssl rsa \
2 -inform PEM \
3 -in rsa-p1.pem \
4 -out rsa-p1-raw.pem
Encrypt PKCS#8 Private Key
1openssl pkcs8 \
2 -topk8 \
3 -inform PEM \
4 -v2 aes256 \
5 -in rsa-p8-raw.pem \
6 -out rsa-p8.pem
Decrypt PKCS#8 Private Key
1openssl pkcs8 \
2 -inform PEM \
3 -in rsa-p8.pem \
4 -out rsa-p8-raw.pem
Extract Public Key
1openssl rsa \
2 -inform PEM \
3 -in rsa-p1-raw.pem \
4 -pubout \
5 -out rsa-p1.pub
The
-inparameter can pass eitherPKCS#1orPKCS#8keys.
View Public Key Information
1openssl rsa \
2 -inform PEM \
3 -pubin \
4 -text \
5 -noout \
6 -in rsa-p1.pub
View Private Key Information
1openssl rsa \
2 -inform PEM \
3 -noout \
4 -text \
5 -in rsa-p1.pem
Test Key
1# Generate a random file for testing
2openssl rand -out tmp.dat 4096
3
4# Sign the random file with the private key using RSA-SHA-256
5openssl dgst -sha256 -sign rsa-p1.pem -out tmp.dat.sig tmp.dat
6
7# Verify the signature
8openssl dgst -sha256 -verify rsa-p1.pub -signature tmp.dat.sig tmp.dat
Ok, all above are the common operations of RSA keys.