By chance, it's possible to resize key length of certificat ?
From 4096 to 2048.
Thanks
Related
I am trying to do a RSA 4096 encryption and decryption. I have installed the package
composer require phpseclib/phpseclib
But after that when i want to use
use phpseclib\Crypt\RSA as Crypt_RSA;
It is showing Class not found error. But I have installed it correctly.
And also i need some guidance how can I encrypt Token using RSA 4096 and also how can I decrypt.
I am totally new in RSA also don't know how to use public key and private key.
Can someone guide me regarding this?
AWS outputs this key line 2048 SHA256:2p2o3eIz/XxxX6IIegXx5FkHo3Lap7xR+Ue2qJ0zV4w root#ip-****** (RSA) to the system log. How can I replicate this format for the ssh-rsa key from the command line? I was scraping the logs until I realized that you can't rely on ec2's console-log fetching command because it's buffered and only stores a small amount of the output.
To clarify the ssh-key file in question is a PEM style file with the beginning and ending tags for a base64 encoded ----RSA PRIVATE KEY----
If it's helpful to know the ssh-rsa line value for the public key is base64 encoded.
I've tried...
sudo ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key
2048 MD5:10:b6:fd:21:fb:f4:ca:6b:ef:15:50:15:af:8b:5a:5d root#ip-****** (RSA)
and
sudo ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
2048 SHA256:2p2o3eIz/XxxX6IIegXx5FkHo3Lap7xR+Ue2qJ0zV4w root#ip-****** (RSA)
But neither produce output looking
-----BEGIN SSH HOST KEY KEYS-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7+hIGwj+cfT6tLdaVuUewnY/NwoQUdAaLw30auAHQS1B/HAEEJ+f+iLjC7JM2IV00Pgbt1trttRmaApghwkB75h0NXArxrfcHTKKV2FO0d8slO9HwDUMbLOEN+L5H0/T0Xtq9u1vnOz2LyMb5KeIywa0HXZ6bGqt1rYCV3Qi369+FUrtTFw8jo8Y21LmqHVltd/d7Kv40Hb3jzqAOCh3jtZ3bilenMA9pAtXM+XJP54oS6z0NutDJLU2n1DVg2q+5wwjJJqljgYg98t5Xj8VmGlWrtam6FMcaSJ77UwMyxLsSe/Ow7DYGAMrd6PLY5RA1stj4W0WYeB8IOSgyGWPf root#ip-******
-----END SSH HOST KEY KEYS-----
I had an ah-ha moment.
You can just use ssh-keyscan -t rsa localhost to generate the known_hosts key entry for the rsa public key of the server. Since I'm logging into the ec2 instance now instead of trying to scrape the logs I can just trust the results.
Using EJBCA (6.2.0), after adding an ecdsa entity certificate on the Ejbca's "Admin" server, I tried to use the Ejbca public web to enroll this entity certificate, however, it only provides the choice to select RSA key bit length but not the named curves that I need ( note: I have all the certificate CA, profile configured as ECDSA). After spending few days to google on this topic, I come to the impression EJBCA only capable of using ECDSA to sign certificate but not to generate ECDSA keys!
I wonder if there is a way to workaround this issue ? Any help is greatly appreciated !
Thanks,
Harold T
This depends on which key pair you are generating. When generating a CA in EJBCA up to three keys and certificates are generated:
A CA signing keypair and certificate
An encryption keypair, used for encrypting keyrecovery information
An OCSP signer keypair and certificate
When using ECDSA keys, the CA signing keypair and the OCSP signer keypair will be the ECDSA keytype you select when creating the CA. The CA signing and OCSP signing certificate will be signed using your selected signature algorithm.
The encryption keypair will always be RSA, using 1024 or 2048 bit key length. It uses the key length set in the admin-GUI or 2048 bit by default using the cli. A dummy encryption certificate will be created using SHA1WithRSA.
using batch tool you can edit conf/batchtool.properties to achieve what you are asking for.
Future versions will support it in the gui as well.
I'd like to understand something.
I generate keys with xca, which is a UI to openssl.
I have created a CA, then generate a server certificate for https and use this CA to sign the generated certificate. The newly created certs are subcerts of the CA (as far as I can tell).
I put in the CN for the domain, generate a new private key of 4096bit length, export the crt and key pem including private key. Upload and configure nginx in this case.
Now I'm accessing the site over https. When clicking connection info in Firefox I see:
Connection Encrypted: High-grade Encryption (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys)
In Chromium:
Your connection to domain.tld is encrypted with 128-bit encryption. <...>
The question/s:
My private key is 4096 bits. Why does it use 128 bits?
Which of the 4096 bits are used in those 128 bits?
Why am I generating a 4096 bit key if only 1/32 of its length are used?
I'd like to understand how this process works.
The 4096 bit RSA key and its associated certificate provides authentication during the setup of the connection and key agreement, allowing the client to verify that they are indeed connected to your server, and not a man-in-the-middle claiming to be your server.
However, the RSA algorithm is orders of magnitude slower than symmetric algorithms like AES with similar security properties, as well as being limited in the amount of data it can encrypt. It is therefore not used to protect the actual data transmitted, and instead a session key for a symmetric algorithm is agreed between the client and server.
In this case, the session key is agreed using the ephemeral Elliptic Curve Diffie-Hellman (ECDHE) algorithm, which allows client and server to derive a random, shared key without ever transmitting the key itself. It is this key which is 128bit, and is being used with the symmetric AES encryption algorithm in Galois/Counter Mode (GCM).
Is a certificate chain valid if its certificates have different keysizes i.e. a user certificate has keysize pair of 2048 bits and its CA certificate ahs keysize of 1024 bits or vice-versa.
Thanks.
Of course it is valid. The validation is only about if the user certificate has been signed by the CA certificate (and if the CA certificate have the proper extensions configured - not all libraries check this though).
The keysize is unrelated to the validation of the chain