This is actually an openssl-users question, but don't worry too much about it. :)
genrsa generates both the public and the private keys in the same structure (PKCS#1). The command 'openssl rsa -in domainname.key -pubout -out domainname.pub' will take the portion that has been designated as the private key out of the structure written into domainname.pub. As a matter of implementation, OpenSSL stores the private key and the public key together in the same structure. -Kyle H On Thu, Apr 30, 2009 at 9:23 AM, dadhikra <dadhi...@gmail.com> wrote: > > Hello all, > > I am new to openssl, so please go easy on me if you find my question stupid. > But I am really confused by openssl documentation. my question is regarding > the generation of CSRs i.e. Certificate Signing Requests. > > As per the documentation, here is one way to generate a CSR > > Following command generates a private key stored in a file called > domainname.key > (1) openssl genrsa -out domainname.key 1024 > > And the following command generates a CSR, which stores the public key and > the information about the company in the file called domainname.csr > (2) openssl req -new -key domainname.key -out domainname.csr > > Now, from whatever I know about the public key cryptography, it is not > possible to generate private key from the public key and vice versa. Both > the keys can only be generated together through some algorithm. And there is > no fundamental difference between the two keys. Any key from the pair can be > designated as a public key and the counterpart as the private key. > > So what is happening here is that we are generating public key from the > private key in command no (2). (Remember, public key is stored in > domainname.csr). So if that is the case, then we can also generate private > key given a public key. > > This is bizarre. Obviously I am missing something here. My only guess is > that the file domainname.key as generated by command (1) stores BOTH public > and private keys. That will make the whole game logical. Of course openssl > documentation doesn't say so. So can somebody please explain the logic > behind these commands. Or at least can somebody please confirm my > observation? > > -- > View this message in context: > http://www.nabble.com/Confused-by-OpenSSL-tp23319693p23319693.html > Sent from the OpenSSL - Dev mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
