> From: owner-openssl-us...@openssl.org On Behalf Of Kelly John Rose > Sent: Monday, September 30, 2013 14:29
> If the PEM file contains the private key, then > > openssl rsa -in veripay.pem -out gw.veripay.co.uk.key > > should work as expected. pem is just a wrapper around the data, so it > should just pull it out of there if it's in there to start. > No, that command doesn't change a thing. Compare the input and output files and you'll see they're identical. PEM is 'just' an encoding, and 'rsa' can convert between PEM and DER, but not the way you show. Plus httpd or rather mod_ssl wants PEM files anyway (both privkey and cert(s)). At least assuming it's using OpenSSL -- I believe there used to be versions that used GnuTLS which has quite different files. The private key file generated by genrsa is indeed a private key file. More exactly it's a CRT-form private key, which includes as a subset the public key. Extracting the *public* key is a meaningful function that 'rsa' can do, but (again) not the way you show. And usually what you want is not the public key by itself, but the public key in a (CSR and then) certificate, and this OP already has that. There are two differences that could matter: - encrypted vs unencrypted. Both 'genrsa' and 'rsa' create unencrypted key files by default, but on both you can specify (password-based) encryption if you want, and thus you can use 'rsa' to either add or remove encryption. Encrypted key files are better practice in general because they (can) protect your key from exposure and breach, but configuring httpd to use an encrypted key file can be a bit tricky especially if as apparently for this OP it's done by somebody else. - PKCS#8 vs 'legacy' (PKCS#1). OpenSSL supports both algorithm-specific formats (which for RSA is PKCS#1 CRT form) and generic PKCS#8 format. The PKCS#8 format is 'just a wrapper': it contains an AlgorithmIdentiifier specifying the key type, plus the actual key. *For PEM* the OpenSSL read routines, which mod_ssl uses, have been able to transparently read either PKCS#8 or legacy for many years. For DER, on the other hand, this can be an issue. And for other software. If you have PKCS#8 (this OP doesn't) and you need legacy for some reason (ditto) that is something 'rsa' can do the way you showed. > On 30/09/2013 2:10 PM, Ted Byers wrote: > > I issued the following command (with my own name in place of > > privkey) > > > > openssl genrsa -out privkey.pem 2048 I then made the csr using > > > > openssl req -new -key privkey.pem -out cert.csr > > > > That is simple enough. But, I need a .key file to deploy on the > > server beside the crt files. > > > > If I understand these commands well enough, privkey.pem ought to > > contain the private key, but how do I get the right .key file from > > it. > > > > Surely it is not as simple as > > > > openssl rsa -in veripay.pem -out gw.veripay.co.uk.key (which makes > > a file, but since I am not sure of it, I do not want to deploy that > > file yet, least I make the web server fail to start (and it is in > > production use, and I do not have a system administrator to ask). > > > > And while I am at it, how would I modify the above commands so that > > I get the .key file right at the start, when I make the key, rather > > than having to try to recover it from the pem file? > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
