Notes on RSA Key Production

To make a 2048-bit RSA key in whatever.key:

 cd /etc/httpd/conf/ssl.key
 openssl genrsa -out whatever.key 2048

This produces an output file that is a PEM-encoded PKCS#1 private key (an ASN.1 RSAPrivateKey structure). It is not encrypted in any way, which would be bad if you thought the file might be vulnerable.

If you want to look at the components that have been generated:

 openssl rsa -in whatever.key -noout -text

Make a certificate signing request for this:

 openssl req -new -key whatever.key -out whatever.csr

Make a temporary self-signed key while you wait for the response to the CSR:

 openssl x509 -req -days 30 -in whatever.csr -signkey whatever.key -out whatever.crt

You can make a key on-the-fly while creating the CSR:

 openssl req -new -x509 -keyout whatever.key -out whatever.csr

In this case, you'll get a PEM-encoded key file with extra lines inside the header indicating an encryption cipher suite. The key file is by default 3DES encoded with a password that is requested during the creation process.

You can decrypt key in this format like this:

 openssl rsa -in sekrit.pem -out clear.pem

This prompts for an (input) password.

To encrypt an unprotected key:

 openssl rsa -in clear.pem -out sekrit.pem -des3

This prompts for an (output) password.

To take an unprotected key and convert it into an unencrypted PKCS#8 file:

 openssl pkcs8 -topk8 -in clear.pem -out pk8.pem -nocrypt

To take an unprotected key and convert it into an encrypted PKCS#8 file:

 openssl pkcs8 -topk8 -in clear.pem -out pk8.pem

In PKCS#8 files, the encryption suite used is named inside the ASN.1 structure, rather than in the textual wrapping. This is the kind of file you need if you want to be able to import keys into a Java keystore using extkeytool.