Generate Private and Public key OpenSSL

Question

I have the following commands for OpenSSL to generate Private and Public keys:

openssl genrsa –aes-128-cbc –out priv.pem –passout pass:[privateKeyPass] 2048

and

openssl req –x509 –new –key priv.pem –passin pass:[privateKeyPass] -days 3650 –out cert.cer

... but they are not working. For the first command I get the following error :

usage: genrsa [args] [numbits]
 -des            encrypt the generated key with DES in cbc mode
 -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)
 -seed
                 encrypt PEM output with cbc seed
 -aes128, -aes192, -aes256
                 encrypt PEM output with cbc aes
 -camellia128, -camellia192, -camellia256
                 encrypt PEM output with cbc camellia
 -out file       output the key to 'file
 -passout arg    output file pass phrase source
 -f4             use F4 (0x10001) for the E value
 -3              use 3 for the E value
 -engine e       use engine e, possibly a hardware device.
 -rand file:file:...
                 load the file (or the files in the directory) into
                 the random number generator

What am I doing wrong?

Edit: I solved the first command :

openssl genrsa -aes128 -out privkey.pem 2048

But now I'm getting an error with the second:

unknown option –x509

Some of the dashes in your commands are actually en dashes (–) instead of hyphens (-). — Vortico, Jan 07 '20 at 12:36

score 17 · Accepted Answer · edited Apr 08 '16 at 17:57

17

'genrsa' generates just an RSA key.

'req' then uses that key to make a x509 style request.

If you just need a rsa key pair - use genrsa.

If you need a keypair and a signed x509 request you use 'genrsa' and then 'req'.

Optionally 'req' can also generate that key for you (i.e. it encapsulates the 'genrsa' command (and the gendh).

So:

 openssl genrsa -aes128 -out privkey.pem 2048
 openssl req -new -x509 -key privkey.pem

is almost equivalent to

 openssl req -new -x509 -keyout privkey.pem  -newkey rsa:2048

except that unlike 'genrsa', 'req' does not allow you to specify aes128 as the encryption.

So in a lot of enterprise settings one does it in two steps as to get sufficient control over the key encryption applied.

edited Apr 08 '16 at 17:57

Scott Stensland

26,870
12
93
104

answered Sep 28 '12 at 10:37

Dirk-Willem van Gulik

7,566
2
35
40

This command did the trick:openssl req -new -x509 -key new.pem -days 3650 -out cert.crt Many Thanks – kozla13 Sep 28 '12 at 14:55
4

Note that -x509 yields a self-signed certificate. Omit this option if you want to generate a certificate request. – Todd May 31 '14 at 19:35

score 1 · Answer 2 · answered Sep 28 '12 at 09:30

1

As I can see from the output, you choose wrong algorithm. Shouldn't you pass -aes128 instead of -aes-128-cbc?

From manual I assume that -aes-128-cbc is a proper parameter for openssl enc, but I don't know if it should work for genrsa.

answered Sep 28 '12 at 09:30

Piotr Zierhoffer

5,005
1
38
59

Generate Private and Public key OpenSSL

2 Answers2