Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
what is different between 2 command in open ssl tools?
openssl genrsa -des3 -out privkey.pem 2048 and openssl genrsa -out privkey.pem 2048?
thanks
The -des3 option specifies how the private key is encrypted with a password. Without a cipher option, the private key is not encrypted, and no password is required.
Password encryption can protect the private key even when file-system–based access control is circumvented.
According to the docs:
-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
These options encrypt the private key with specified cipher before
outputting it. If none of these options is specified no encryption is
used. If encryption is used a pass phrase is prompted for if it is not
supplied via the -passout argument.
DES is an encryption method and DES3 (also called triple DES) is the same method that is ran 3 times in a row to make the encryption stronger.
DES3 is a standard that is being heavily used (-des3), for example, when your browser is being redirected to port 443 (SSL), after the RSA key exchange, DES3 is being used (with the RSA key) for the rest of the session.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
We have a p12 (PKCS#12) <my_ssl_key_file.p12> file for SSL Certificate Key file requiring a passphrase. However, referencing it in the apache directive like so does not work:
<VirtualHost *:443>
...
...
SSLCertificateKeyFile /path/to/my_ssl_key_file.p12
...
</VirtualHost>
I can get around by converting the p12 file using openssl pkcs12 with the passphrase like so:
$openssl pkcs12 -in my_ssl_key_file.p12 -out my_ssl_key_file.key
and changing the directive to reference the new my_ssl_key_file.key
but this seems counterintuitive to strip the P12 encryption. Is there a way to directly reference the P12 file instead? Perhaps my approach is the wrong approach?
PKCS12 is not supported by SSLCertificateKeyFile.
From the doc, PEM is the required format. And the private key should be protected by a passphrase.
Note that the PKCS12 is used to hold the certificate and the certificate chain and the private key as well.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I have created a privatekey.key during SSL creation for CSR certificate creation for getting SSL certificate. I have purchased the certificate and configured SSL in my Apache server, after that when I restart the server it stops working, for make it working I have used the following command as follows:
C:\Apache24\bin> openssl rsa -in privatekey.key -out privatekey.key
After that when I restarted my Apache it is working fine. But now it is showing me that 128 bit encryption, but I had created the key for 2048 bit encryption. How can I make it 2048 bit encryption?
Please check the following image:
You have got to be aware that SSL/TLS uses hybrid encryption: During the handshake it uses asymmetric encrytpion like RSA to exchange a key for some symmetric encryption-algorithm like AES that is then used to encrypt the traffic. The reason is that asymmetric encrpytion is rather slow compared to symmetric algos, so you use those on the bulk data to get better performance and reduce server-load.
Also take care that asymmetric algorithms require significantly longer keys for the same "strength". While 256-bit AES might sound less secure than 4096-bit RSA they might actually be quite similar from the offered protection.
So while you are using 2048-bit RSA for the key-exchange, 128-bit-AES is used to encrypt the payload.
P.S.: the cipher used during the session is negotiated between client and server from a list of ciphers each support during the SSL-handshake.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I've just bought comodo essential wildcard certificate, they asked me to generate csr to activate it.
As i understood, i need to:
Generate RSA 2048bit private key
Generate CSR based on it
As i see, openssl genrsa command accepts different encryption params:
-des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
-aes128,
-aes192,
-aes256
What should i use?
The encryption param of openssl genrsa command is used to specify which algorithm to use for encrypting your private key (using the password you specify).
CSR (Certificate Signing Request) includes your public key and some additional public information to be included into certificate. CSR never includes a private key.
So, choice of algorithm for encrypting the private key is completely unrelated to CSR. Choose whatever you prefer. AES variants and Triple-DES (-des3) should be preferred; plain DES is usually considered not secure these days. Also see why AES is more secure than DES. But I think algorithm choice in this particular case is not as important as using a strong password and protecting it.
Note: remember that if you protect your private key with a password, you will be prompted to enter the password every time you want to access the private key, such as when starting your web server. If you forget the password, your private key is effectively lost and you must generate a new key and request a new certificate. You could generate a private key without encryption (without password): openssl genrsa -out filename.key 2048. It is also possible to remove the password (effectively, store it unencrypted) at any time using command like this: openssl rsa -in encrypted.key -out unencrypted.key. You’ll need the password for that (you will be prompted to enter it).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I use OpenSSL on ubuntu to generate a CSR file that I will paste to the SSL certificate provider. when I paste the code, I see an unknown e-mail addreses to select but not the e-mail address I have entered during csr creation.
Where does OpenSSL get this email addresses, like postmaster#mydomain.com, admin#mydomain.com.
The command that I use is:
sudo openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout private.key
The point is that most Certificate Authorities ("certificate provider") ignore the e-mail address from the CSR itself, since it is user provided input and thus not trustworthy.
The e-mail addresses presented to you during the application process are
from the Admin-C WHOIS record of the domain for which you are applying a certificate for
some standard addresses which are assumed to usually exist for most domains (postmaster#, admin#, ..)
This is done by the CA to prevent fraud and ensure that only someone with access to the domain is able to buy a certificate for it.
You can't change that. You can:
Either configure one of the presented e-mail addresses on your domain and fetch the confirmat e-mail from there
Or, if possible, change your Admin-C records e-mail address (which will take a while)
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 months ago.
The community reviewed whether to reopen this question 4 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I'm trying to set up SSL on Nginx. It doesn't work, and I am getting the following error in the error log, which is getting passed up from the OpenSSL library which nginx was compiled with. I don't know what that library is, but it's version 0.8.54 of nginx, and I installed it using apt-get on Ubuntu Linux.
2012/02/21 07:06:33 [emerg] 4071#0:
SSL_CTX_use_PrivateKey_file("/exequias/certs/exequias.com.key") failed (SSL:
error:0906406D:PEM routines:PEM_def_callback:problems getting password error:
0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:
SSL_CTX_use_PrivateKey_file:PEM lib)
I have ensured that the file permissions on the private key file are not stopping nginx from reading it. It is an RSA private key, generated with openssl rsa.
Any ideas what might be causing this?
Remove the key pass phrase:
openssl rsa -in key.pem -out newkey.pem
If the certificate and the key are together:
openssl rsa -in mycert.pem -out newcert.pem
openssl x509 -in mycert.pem >>newcert.pem
Source: http://www.madboa.com/geek/openssl/#key-removepass
I got it... the private key file used with nginx must not have a passphrase. I removed the passphrase and it worked.
Because you generate the .crt file with a passphrase, so you need to specify the same passphrase for your .key and .crt file in Nginx conf like this
server {
ssl_password_file /path-to-your-passphrase/ssl.pass;
}
See Nginx Doc
Or if you don't need the passphrase for your cert file, just use ssh-keygen tool to generate the file as following:
ssh-keygen -t rsa
The question is a bit old now, and nginx actually supports passphrase asking at startup since at least version 1.2. But the issue is still relevant because this capability has been removed from debian in the latest release, version 8 with nginx 1.6. The reason is that passphrase input hasn't been implemented in the systemd script for nginx, while it has been for apache. Launching nginx manually simply works, and it's not too a problem since manual intervention is required anyway, there's no use of systemd here.
Reference: https://forum.nginx.org/read.php?2,262900,262931#msg-262931