4

What is difference between below two commands?
1. openssl genpkey -algorithm RSA
2. openssl genrsa

In document difference is "Private Key" and "RSA Private Key".

Then..
What is diference between "Private Key with algorithm RSA" and "RSA Private Key"?

diky
  • 43
  • 1
  • 5

2 Answers2

7

The genpkey command can create other types of private keys - DSA, DH, EC and maybe GOST - whereas the genrsa, as it's name implies, only generates RSA keys. There are equivalent gendh and gendsa commands.

However, the OpenSSL documentation states that these gen* commands have been superseded by the generic genpkey command.

In the case of your examples, both generate RSA private keys.

openssl genrsa -out genrsa.key 2048

and

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out genpkey.key

will generate a 2048 bit RSA key with the exponent set to 65537.

Simply cat the resulting files to see that they are both PEM format private keys; although openssl rsa encloses them in BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY while openssl genpkey omits the RSA. The former is PKCS#1 format, while the latter is PKCS#8.

Running openssl rsa text -in <filename> against both shows that they are RSA private keys with the same publicExponent. The newer genpkey command has the option to change this using -pkeyopt rsa_keygen_pubexp:value while the genrsa command doesn't have this option.

garethTheRed
  • 33,289
  • 4
  • 92
  • 101
  • The difference in the output files is the difference between 'traditional' or 'legacy' format written by `genrsa` (and also `rsa`) and 'new' (since about 2000) PKCS8 format written by `genpkey` (and also `pkey` and `pkcs8 -topk8`); although they contain semantically the same information they are not the same and the PEM label `RSA PRIVATE KEY` vs `PRIVATE KEY` is very important. Also if they are password-encrypted (your example is not) the PBE used is _very_ different (PKCS8 is better). There is no commandline `gendh` -- and EC-specific gen is inconsistently `ecparam -genkey` ! – dave_thompson_085 Jan 10 '18 at 08:14
  • Thank you.. Then, difference is format and genrsa is more legacy way right? So then, is **genpkey -algorithm RSA** the better way to generate RSA key then **genrsa**? – diky Jan 11 '18 at 01:18
  • @dave_thompson_085 - Thank you for the update. I've edited my answer to add PKCS#1 & #8. `gendh` is listed as an option to `openssl help`. That's as far as I've tried it though! – garethTheRed Jan 11 '18 at 06:23
  • You're right, I wrote that too fast and skipped a bit; sorry. `gendh` _and_ `gendsa` generate _parameters_ (aka groups) not keys, equivalent to new-style `genpkey -genparam` ; `dsaparam -genkey` and `ecparam -genkey` generate keys for given parameters but there is no old-style way to generate a DH _key_ (for any parameters), only new-style `genpkey` (without `-genparam`) can do a DH key. – dave_thompson_085 Jan 11 '18 at 09:43
1

Be aware that Exim with DKIM support does not directly accept RSA private keys generated by the openssl genpkey -algorithm rsa ... command. Exim expects the private key to use the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY delimiter lines, as generated by openssl genrsa ..., and not BEGIN PRIVATE KEY/END PRIVATE KEY as generated with openssl genpkey ....

Exim will fail with the message DKIM: signing failed (RC -101) in the panic log when sending mail if the delimiter lines are wrong.

SemperOSS
  • 11
  • 1
  • This problem may be limited to earlier Exim versions. A server running Exim 4.91 (linked to OpenSSL 1.1.0h) is using a `genpkey` DKIM key with `BEGIN PRIVATE KEY / END PRIVATE KEY` delimiters. Exim is using this key to sign outgoing SMTP without any problems. – Fred Schleifer Aug 14 '18 at 04:59