OpenSSL: genrsa vs genpkey?

Question

Why does OpenSSL provide two utilities with so much overlap

genpkey:

OpenSSL> genpkey -
Usage: genpkey [options]
where options may be
-out file          output file
-outform X         output format (DER or PEM)
-pass arg          output file pass phrase source
-<cipher>          use cipher <cipher> to encrypt the key
-engine e          use engine e, possibly a hardware device.
-paramfile file    parameters file
-algorithm alg     the public key algorithm
-pkeyopt opt:value set the public key algorithm option <opt>
                   to value <value>
-genparam          generate parameters, not key
-text              print the in text
NB: options order may be important!  See the manual page.

And genrsa:

OpenSSL> genrsa -
usage: genrsa [args] [numbits]
 -des            encrypt the generated key with DES in cbc mode
 -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)
 -seed
                 encrypt PEM output with cbc seed
 -aes128, -aes192, -aes256
                 encrypt PEM output with cbc aes
 -camellia128, -camellia192, -camellia256
                 encrypt PEM output with cbc camellia
 -out file       output the key to 'file
 -passout arg    output file pass phrase source
 -f4             use F4 (0x10001) for the E value
 -3              use 3 for the E value
 -engine e       use engine e, possibly a hardware device.
 -rand file:file:...
                 load the file (or the files in the directory) into
                 the random number generator

The docs in Debian are also really strange about this,

   genpkey   Generation of Private Key or Parameters.
   genrsa    Generation of RSA Private Key. Superceded by genpkey.

Is genpkey a replacement? If so, how come it doesn't have -des3? And, how do we add a password to it, and specify the key length?

If you think having two different commands to do the same things isn't nuts, then consider that the ASN.1 structure generated `genrsa` and `genpkey` are actually different. The ASN.1 structure of keys generated using `genrsa` is pkcs#1, while keys generated using `genpkey` is pkcs#8. If that's not bad enough, if you use `genpkey -outform der` then it's back to pkcs#1. With EC, it's even worse, somehow `genec` is missing, instead there is `ecparam -genkey`, and somehow `ecparam -genkey`, `genpkey -outform pem`, `genpkey -outform der` all have different ASN.1 structure. — Lie Ryan, Dec 28 '17 at 18:17
I wish I could give this comment of yours a bounty or othwise more than just a simple upvote, @LieRyan. It is such an important piece of knowledge that may save one hours of debugging. openSSL is a PITA. — foo, Nov 18 '21 at 16:15

MichelZ · Answer 1 · 2014-04-19T20:23:31.837

14

It clearly states that genrsa has been superceded by genpkey, so yes, genpkey is a replacement.

You can change the cipher to 3des by using the -cipher argument

Also, it should tell you that to add a password, you use the -pass argument

You can find more information here

edited Apr 19 '14 at 20:23

answered Apr 19 '14 at 20:10

MichelZ

11,068
4
32
59

1

Well, I do see the `-pass` argument now (assuming that is the same as -3des), but I don't even see an option to specify key length on `genpkey`? I also pasted the entirety of what the Ubuntu 14.04 man pages had to say about it. – Evan Carroll Apr 19 '14 at 20:18
1

May I point you to this documentation then: [genpkey](https://www.openssl.org/docs/apps/genpkey.html#) – MichelZ Apr 19 '14 at 20:24
3

Lol, this is nuts... `-pkeyopt rsa_keygen_bits:numbits`. – Evan Carroll Apr 19 '14 at 20:24
1

Why is it nuts? :) – MichelZ Apr 19 '14 at 20:29
10

Because the whole purpose of -h is to provide a synopsis of the command. That said, I just found out `genpkey` is actually documented in its own man pages. That's interesting. The whole project should move the direction of git-core, with the man pages all prefixed with openssl-, and the ui permitting `openssl help genpkey` to render the man pages. tldr; better docs would help. – Evan Carroll Apr 19 '14 at 20:35

OpenSSL: genrsa vs genpkey?

1 Answers1