0

I'm trying to understand the difference between generating a private key using openssl genrsa and adding -newkey to req.

I found a 2014 answer saying the underlying code is the same, one from 2015 saying the encryption is different, and a 2017 mailing list answer saying genrsa "creates keys in a legacy RSA algorithm-specific format." However, I don't see any reference to this in the docs for genrsa nor for req.

Is there any substantial difference between them?

pollirrata
  • 103
  • 3

1 Answers1

2

By default, the openssl genrsa in both OpenSSL 1.1.1f & 3.0.9 generates a 2048-bit RSA key, as well as the openssl req -newkey rsa. If you examine the resulting private keys with openssl rsa -text you will notice that there are the same key components of the same size.

The main difference seems to be that openssl req -newkey rsa protects the private key with a password by default, whereas openssl genrsa requires an extra parameter for that.

Esa Jokinen
  • 18,957
  • 6
  • 58
  • 61
  • 2
    In versions below 3.0.0 genrsa writes 'traditional' (PKCS1) format; in 3.0.0 up it writes PKCS8. req -newkey writes PKCS8 since 1.0.0. genrsa defaults to unencrypted, but you can specify encryption with (almost) any cipher; req -newkey is encrypted unless either commandline option or the config file says no, and if encrypted is always 3DES. If you don't specify the length (which you can and always could in either method) the default is 2048 since 1.0.2 for genrsa and 1.0.2g for req -newkey; before those it was less and sometimes differed between the two methods. – dave_thompson_085 Oct 08 '23 at 01:21