Hi Ralf,
Ralf Skyper Kaiser wrote:
Hi,
OpenSSL 1.0.1e 11 Feb 2013
$ grep bits openssl.cnf
default_bits = 4096
=> Note that the default_bits are set to 4096.
$ openssl req -config openssl.cnf -nodes -newkey rsa -keyout
testkey.pem -keyform PEM -out testreq.pem -outform PEM
Generating a 4096 bit RSA private key
..++++++
...........................++++++
writing new private key to 'testkey.pem'
=> Note that Openssl tells us that it is generating a 4096 bit key.
$ openssl rsa -text <testkey.pem | less | grep Key
Private-Key: (1024 bit)
=> ...but openssl generated a 1024 bit key instead.
(The workaround is to force openssl with -newkey rsa:4096.)
Two concerns:
1. Openssl should create a 4096 bit key if the default setting is 4096
bit.
2. Openssl should not show that a 4096 bit key is generated and then
generate something much weaker.
the output of the command you gave is indeed confusing, but if you use
$ openssl req -config openssl.cnf -nodes -new -keyout testkey.pem
-keyform PEM -out testreq.pem
to generate the key+request the correct value *is* picked up from the
openssl.cnf file.
I don't yet understand why the 'req' command does pick up the setting
from the openssl.cnf file yet it generates the private key using the
default key size.
HTH,
JJK
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
