"OpenSSL" Generating CA's Private Key

Cryptography Tutorials - Herong's Tutorial Examples

∟"OpenSSL" Signing CSR Generated by "keytool"

∟"OpenSSL" Generating CA's Private Key

This section provides a tutorial example on how to use OpenSSL to generate a RSA private key of 2048 bit long with OpenSSL. This key will be used as the CA's private key and must stored securely in a file with password protection.

As a CA, I must have a good private key (2048 bit long) and I must store it securely in a file. This can be done with a single OpenSSL command "openssl genrsa" as shown in the following command window session:

herong> openssl genrsa -out herong.key -des 2048

Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for herong.key: keypass
Verifying - Enter pass phrase for herong.key: keypass

herong> more herong.key

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,65D5EB070215060E

l5d+v8KbkPwCgFlrsMD+5FpVsldoCZPeCjMrrWzyym5wIKHKqVltfAjO...
Z2JBXMGxAV4kGky0Jca6/Kxb/tWAmJci0YaDXO0EjwTxeulj9MVL5t3m...
...
bHbZhRs6lUxB4PNosjkhZrgPzYRD7A3EmVqo6ZLXeYO2I2lVIe7k+Lec...
-----END RSA PRIVATE KEY-----

Notes about what I did here:

"genrsa" command is used to generate a pair of private key and public key using RSA algorithm.
"-out herong.key" tells openssl to store the private key in a file called herong.key.
"-des" option is used to encrypt my private key file "herong.key" with DES algorithm.
"2048" used to force openssl to generate keys a length of 2048 bits. The default length is 512. Longer keys give better protection.
"-passout keypass" is not used on the command line, because it does not work (See the test below). So I entered it when "OpenSSL" prompted for it.
"type herong.key" is Windows command to shows the content of "herong.key".

Error message received when "-passout keypass" is used:

herong> openssl genrsa -out test.key -des -passout keypass 2048
Invalid password argument "keypass"
Error getting password

Recently, someone emailed me the correct syntax of the "-passout" option: "-passout pass:<password>". Here is an example of how to use the "-passout" option correctly:

herong> openssl genrsa -out test.key -des -passout pass:keypass 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
.....................................................................
...........+++
............................+++
e is 65537 (0x10001)

Want to see some details about my private key? Run the "openssl rsa" command as shown below:

herong> openssl rsa -in herong.key -text
Enter pass phrase for herong.key: keypass
Private-Key: (2048 bit)
modulus:
    00:ba:a3:a2:d1:ab:9b:9f:26:e6:b5:79:b4:52:11:
    ...
publicExponent: 65537 (0x10001)
privateExponent:
    00:9d:62:da:2d:57:3a:2f:36:5d:bc:d0:f9:97:6f:
    ...
exponent1:
    27:6c:ec:a2:b8:78:5f:55:67:b9:47:eb:3e:25:5d:
    ...
exponent2:
    00:a9:17:88:e5:d7:63:c3:7b:f8:6f:57:78:de:53:
    ...
coefficient:
    30:f5:86:b6:81:ad:1d:35:2c:1a:c1:ba:b9:d9:ab:
    ...
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuqOi0aubnybmtXm0UhE47JSDcCrc/NGtfbtJdk+9...
    ...
-----END RSA PRIVATE KEY-----