1

I have run into a CSR generation problem I can't seem to explain and was wondering if someone could either help me with my command, or tell me what I am generating.

I think I am generating CRT Certificates in PEM format, but it seems my key is not in PEM format !?

Here is what I do, and what I get. I create a CSR with:

openssl req -nodes -new -newkey rsa:2048 -sha256 -out test.csr

This generate 2 files: privkey.pem and test.csr

Now when I try and update some servers, they complain that my Private key is not in PEM format. nginx and apache seem happy with my key.

When I then convert the key with:

openssl rsa -in privkey.pem -out privkey.rsa.pem

It works !?!

vimdiff shows me the difference in the files visually, and one can see that not only is the heading different, but the content is also been changed (after the first 4 characters)

And thus my question

is the key created in DER - PEM format, even though I specify not to use DER in the create line ?

jww
  • 97,681
  • 90
  • 411
  • 885
Adesso
  • 928
  • 2
  • 13
  • 27
  • 1
    1) This probably should be asked on superuser.com. 2) PEM is not really a format per se, it's just a metaformat/filename suffix commonly used for base64 encoded *stuff* of various formats. The `req` command produces a PEM file in openssl-proprietary RSA private key format. The `rsa` command then converts this to the more commonly accepted PKCS-8 private key format. – President James K. Polk Jun 12 '17 at 13:01
  • The private key is in PEM format. A simple `cat` would verify it for you. Related, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) The first creates a CSR. – jww Jun 12 '17 at 17:46

1 Answers1

5

The only way I have found to generate a key in RSA format is to first create the keyfile with 

openssl genrsa -out ./yourkeyfile.key 2048

and then use the file to create a CSR with 

openssl req -new -sha256 -key yourkeyfile.key -out yourcsrfile.csr

If you use the one line command the keyfile is created in DER format.

openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout yourkeyfile.key -out yourcsrfile.csr
Adesso
  • 928
  • 2
  • 13
  • 27