openssl command degenerative examples

The openssl command is available for use by all users. The intended audience for this page is system administrators who can submit requests which IST will recognize._

I started this page as an attempt to start explaining RSA encryption to myself, using openssl command in ways which would not be secure, but would explain how RSA works at a fundamental level.

I hope eventually to integrate this with information such as is found here to provide a full tutorial.

openssl examples

You should be able to go to an empty directory and literally cut-and-paste the following Unix commands to get an idea of SSL key structure.

Generate a new private key

The smallest modulus openssl lets you get away with.

   cscf.cs% openssl genrsa -out toy.key 31
   Generating RSA private key, 31 bit long modulus
   .+++++++++++++++++++++++++++
   .+++++++++++++++++++++++++++
   e is 65537 (0x10001)
   cscf.cs% cat toy.key
   -----BEGIN RSA PRIVATE KEY-----
   MCsCAQACBHLWmLUCAwEAAQIEOTZbkQIDANHDAgMAjCcCAi6rAgJMawIDAJfW
   -----END RSA PRIVATE KEY-----
   cscf.cs% 

To ease following the tutorial, perhaps put the above key into a file instead of what you get. (At least for one of your runs).

View details of that private key

    cscf.cs% openssl rsa < toy.key -text
    Private-Key: (31 bit)
    modulus: 1926666421 (0x72d698b5)
    publicExponent: 65537 (0x10001)
    privateExponent: 959863697 (0x39365b91)
    prime1: 53699 (0xd1c3)
    prime2: 35879 (0x8c27)
    exponent1: 11947 (0x2eab)
    exponent2: 19563 (0x4c6b)
    coefficient: 38870 (0x97d6)
    writing RSA key
    -----BEGIN RSA PRIVATE KEY-----
    MCsCAQACBHLWmLUCAwEAAQIEOTZbkQIDANHDAgMAjCcCAi6rAgJMawIDAJfW
    -----END RSA PRIVATE KEY-----
    cscf.cs% 

In addition, the following allows you to correlate the above details to positions in the base64 encoded binary form.

    cscf.cs% cat toy.key | sed '/^-/d' | /usr/local/bin/base64 -d | od -t x1
    0000000 30 2b 02 01 00 02 04 72 d6 98 b5 02 03 01 00 01
    0000020 02 04 39 36 5b 91 02 03 00 d1 c3 02 03 00 8c 27
    0000040 02 02 2e ab 02 02 4c 6b 02 03 00 97 d6
    0000055
    cscf.cs% 

If using Ubuntu, the base64 command should be available as /usr/bin/base64, probably on your PATH. It appears to be part of the coreutils package.

Show the public key corresponding to a private key

    cscf.cs% openssl rsa -in toy.key -pubout
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MB8wDQYJKoZIhvcNAQEBBQADDgAwCwIEctaYtQIDAQAB
    -----END PUBLIC KEY-----
    cscf.cs% 

View details of that public key

    cscf.cs% openssl rsa -in toy.key -pubout | openssl rsa -pubin -text
    writing RSA key
    Modulus (31 bit): 1926666421 (0x72d698b5)
    Exponent: 65537 (0x10001)
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MB8wDQYJKoZIhvcNAQEBBQADDgAwCwIEctaYtQIDAQAB
    -----END PUBLIC KEY-----
    cscf.cs% 

    cscf.cs% openssl rsa -in toy.key -pubout | sed '/^-/d' | \<br />         /usr/local/bin/base64 -d | od -t x1
    writing RSA key
    0000000 30 1f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05
    0000020 00 03 0e 00 30 0b 02 04 72 d6 98 b5 02 03 01 00
    0000040 01
    0000041
    cscf.cs% 

Generate a new Certificate Signing Request (CSR)

This key is too small to use to generate a CSR.

Generate a larger private key for self-signed certificate or CSR

The smallest number of bits I seemed to be able to specify and then generate a self-signed certificate was 361.

   cscf.cs% openssl genrsa -out toy.key 361
   Generating RSA private key, 361 bit long modulus
   ........++++++++++++++++++
   .................................++++++++++++++++++
   e is 65537 (0x10001)
   cscf.cs% openssl req -new -key toy.key -x509 -out new.pem -subj /CN=toy.uwaterloo.ca
   cscf.cs% openssl req -new -key toy.key -out new.csr -subj /CN=toy.uwaterloo.ca
   cscf.cs% 

The prime numbers there are all to large to be shown in digit form, and instead all are shown in hex byte format. So they won't help a lot in understanding the algorithms.

-- AdrianPepper - 13 Sep 2011