0

I have a couple of certificates whose format seem pretty similar except for one thing I have checked the details of the cert by using the following openssl command

openssl x509 -in certname -text

In one of the certificates, the Subject Public Key info appears like this

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)

The other looks like

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public Key: (1024 bit)

I generated a certificate using the following command

openssl genrsa -out my.key 1024
openssl req -new -key my.key -config -out my.req
openssl ca -out my.crt -infiles my.req

My cert contains Public Key: (1024 bit) and not "RSA Public Key: (1024 bit)"

What needs to be done differently to get the "RSA Public Key: (1024 bit)" in the certificate? My my.key starts with

-----BEGIN RSA PRIVATE KEY-----

so it's a RSA key.

user93353
  • 287
  • 1
  • 6
  • 17
  • try `openssl rsa -noout -text -in certname` and `openssl dsa -noout -text -in certname` on your certs. My guess is the first one is a DSA key, and it will fail with `read DSA key unable to load Key 139673943688872:error:06078081:digital envelope routines:EVP_PKEY_get1_DSA:expecting a dsa key:p_lib.c:308:` – dawud Apr 18 '13 at 12:16
  • @dawud - `openssl rsa -in` & `openssl dsa -in` both expect a key as input - how can you read a cert with it? - As expected both commands gave me `unable to load Private Key 11984:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:696:Expecting: ANY PRIVATE KEY` – user93353 Apr 18 '13 at 12:21
  • I assumed you have both cert and key in the same file, try the commands using the file that holds the key instead – dawud Apr 18 '13 at 13:19
  • @dawud - I have the private key only for 2nd one (the one which doesn't give RSA Public Key) - that works fine with the `openssl rsa` command – user93353 Apr 18 '13 at 14:05
  • No further guessing then, I guess :) – dawud Apr 18 '13 at 14:35

1 Answers1

3

Do you really compare output of the same openssl x509 utility given different input files? The different output you ask about apparently just differs between OpenSSL versions. E.g., openssl-0.9.8e has such code:

                    BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
                    BN_num_bits(pkey->pkey.rsa->n));

However, openssl-1.0.0 has slightly different text:

            if (BIO_printf(bp,"Public-Key: (%d bit)\n", mod_len)
                    <= 0) goto err;

(note that the actual text is Public-Key, not Public Key). So the output for the same certificate may be different depending on which OpenSSL version you use to dump the file, and your files containing RSA Public Key: (1024 bit) were just dumped as text using an old version of OpenSSL.

Sergey Vlasov
  • 6,288
  • 1
  • 21
  • 30
  • Absolutely right. One cert was generated on a NetBSD setup I have & I got the output also on the same machine. The other was on a Windows setup. Both are different versions of openssl & the `openssl x509 -text` output differs. I ran it both on my windows setup and both look similar now. Other things which differ are Modulus size is available on one and not available on the other & the hyphen also as you noted. – user93353 Apr 24 '13 at 13:10