Re: Generate OpenSSL CSR in Squeeze

To: debian-user@lists.debian.org
Subject: Re: Generate OpenSSL CSR in Squeeze
From: "David A. Parker" <dparker@utica.edu>
Date: Wed, 27 Jul 2011 13:54:15 -0400
Message-id: <[🔎] 4E3050C7.7030900@utica.edu>
In-reply-to: <[🔎] 86wrf3n2fi.fsf@gray.siamics.net>
References: <[🔎] 4E30147D.9040508@utica.edu> <[🔎] 86wrf3n2fi.fsf@gray.siamics.net>

On 07/27/2011 11:55 AM, Ivan Shmakov wrote:

David A Parker<dparker@utica.edu>  writes:


  >  We have an RSA key with no encryption password, and we need to generate
  >  a CSR using this key.  However, when I try to generate a CSR, I get an
  >  error:

  >  # openssl req -new -key server.key -out server.csr
  >  Enter pass phrase for server.key:

	I guess that openssl(1) somehow doesn't recognize the format of
	the key file, thus thinking that it may be encrypted.

	While I don't know what may cause this behavior, I'd try to use
	GnuTLS' certtool(1) to generate the request, in the hope that
	it's unlikely that both OpenSSL and GnuTLS would've been broken
	in the same way.

$ openssl --generate-request --load-privkey=server.key --outfile=server.csr

[…]

Thanks. It turns out the key file in question is an encrypted key (nota plain RSA key as I thought). However, it was created with no passwordspecified, and apparently OpenSSL doesn't stop you from doing this, butit can't read the encrypted key later if you chose not to set apassword. A quick example:


# openssl genrsa 4096 | openssl pkcs8 -topk8 -out test.key
Generating RSA private key, 4096 bit long modulus
.......................++
..................................................................++
e is 65537 (0x10001)
Enter Encryption Password:
Verifying - Enter Encryption Password:

I just hit <ENTER> when prompted for the password each time, so thepassword is blank. But then you get an error when you try to create aCSR using this key:


# openssl req -new -key test.key -out test.csr
Enter pass phrase for test.key:

328:error:28069065:lib(40):UI_set_result:result toosmall:ui_lib.c:850:You must type in 4 to 8191 characters

Enter pass phrase for test.key:

And now you're stuck. It just keeps asking for a password, and even ^Cwon't break out of this. You have to enter a junk password that's morethan 4 characters, and that will force it to fail and abort.


I think this behavior is very odd.

    - Dave

--

Dave Parker
Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177

Reply to:

Follow-Ups:
- Re: Generate OpenSSL CSR in Squeeze
  - From: Ivan Shmakov <ivan@gray.siamics.net>

References:
- Generate OpenSSL CSR in Squeeze
  - From: "David A. Parker" <dparker@utica.edu>
- Re: Generate OpenSSL CSR in Squeeze
  - From: Ivan Shmakov <ivan@gray.siamics.net>

Prev by Date: Re: help to choose right printer to buy
Next by Date: Re: OT - stitching together 2 pdf files
Previous by thread: Re: Generate OpenSSL CSR in Squeeze
Next by thread: Re: Generate OpenSSL CSR in Squeeze
Index(es):
- Date
- Thread