Buschhardt
Reputation: 171
Create private key and certificate using RSASSA PSS with openssl
how, if its possible to create a self signed key and certifactes using openssl with RSASSA-PSS (RFC 4065)?
I managed to use a existing (non-RSASSA-PSS) certificate with this padding mode:
Signing
openssl dgst -sha256 -sign privateKey.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out pss.sha256 test.txt
Verifying
openssl dgst -sha256 -verify pubkey.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature pss.sha256 test.txt
But I think these mode and saltlen should be (RFC 4065 must be) in the certificate?
If its not possible with openssl, what can I use instead?
Thank you.
Upvotes: 6
Views: 8325
Answers (1)
fxdeltombe
Reputation: 61
openssl genpkey, req and ca (and maybe other openssl commands) allow to set some metadata so as to restrict the use of or certificate to specific constraints depending on the algorithm : eg. for RSA-PSS, min length for salt, digest method for signature...
- for
openssl genpkey, the options are set with-pkeyopt, and they are transmitted to the CSR - for
openssl reqandca, the options are set with-sigopt
For example
openssl genpkey -algorithm rsa-pss \
-pkeyopt rsa_keygen_bits:2048 \
-pkeyopt rsa_pss_keygen_md:sha256 \
-pkeyopt rsa_pss_keygen_mgf1_md:sha256 \
-pkeyopt rsa_pss_keygen_saltlen:32 \
-out privateKey.pem
Upvotes: 3
Related Questions
- How to generate RSA private key using OpenSSL?
- How to create public and private key with OpenSSL?
- Use a RSA public key to generate the corresponding private key in OpenSSL?
- Generate Private and Public key OpenSSL
- openssl create certificate and key
- Generate RSA public/private key with OpenSSL?
- Generate private key RSA with PKCS1
- How to generate SSL certificate using openSSL?
- openssl RSA private and public keys
- How can I generate RSA private keys encrypted with AES128 or AES256 using openssl?