在linux下openssl genrsa 生成的密钥为PKCS#1格式,但在macos下生成的密钥却为PKCS#8格式。经检查发现是因为在macos上新安装了MacPorts,而MacPorts新安装的openssl为新的版本,新版本生成密钥的默认格式为pkcs#8。
运行macos下旧版本genrsa帮助如下:
/usr/bin/openssl genrsa -help
usage: genrsa [args] [numbits]
-des encrypt the generated key with DES in cbc mode
-des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-out file output the key to 'file'
-passout arg output file pass phrase source
-f4 use F4 (0x10001) for the E value
-3 use 3 for the E value而运行MacPorts安装的openssl genrsa帮助如下:
/opt/local/bin/openssl genrsa -help
Usage: genrsa [options] numbits
General options:
-help Display this summary
-engine val Use engine, possibly a hardware device
Input options:
-3 (deprecated) Use 3 for the E value
-F4 Use the Fermat number F4 (0x10001) for the E value
-f4 Use the Fermat number F4 (0x10001) for the E value
Output options:
-out outfile Output the key to specified file
-passout val Output file pass phrase source
-primes +int Specify number of primes
-verbose Verbose output
-traditional Use traditional format for private keys
-* Encrypt the output with any supported cipher
Random state options:
-rand val Load the given file(s) into the random number generator
-writerand outfile Write random data to the specified file
Provider options:
-provider-path val Provider load path (must be before 'provider' argument if required)
-provider val Provider to load (can be specified multiple times)
-propquery val Property query used when fetching algorithms
Parameters:
numbits Size of key in bits我们看到后者多了 ’-traditional‘ 参数。查看 genrsa帮助看到这个参数就是用来生成PKCS#1格式的密钥的。
man openssl-genrsa
-traditional
Write the key using the traditional PKCS#1 format instead of the PKCS#8 format.
因此新版本openssl生成PKCS#1格式rsa密钥要加止 "-traditional“ 参数。
openssl genrsa -traditional -out rsa-traditional-1024 1024