題 OpenSSL如何從2048位私鑰生成1024位CSR?


我有一個2048位RSA privateKey.pem,我發現它已經生成了幾個1024位證書請求開始:

-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----

我認為不可能從2048位私鑰生成1024位證書。所以我得到了證實 這裡:sslshopper 並驗證了2048位密鑰和1024位CSR都具有相同的指紋(散列值)。

我怎樣才能在OpenSSL中從2048位privateKey.pem生成1024位CSR?

我試過了:

openssl req -out CSRequest.pem 1024 -key privateKey.pem -new
openssl req -config csr.cnf -out CSRequest.pem -key privateKey.pem -new

在csr.cnf文件中我試過:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 1024

但它仍然會生成2048位證書請求。如何從privateKey.pem獲取1024位CSR?任何幫助都非常感謝。

更新: 在這裡,您可以從下面的2048位RSA私鑰中看到我想要的1024位CSR:

-----BEGIN CERTIFICATE REQUEST-----
MIIBxDCCAS0CAQAwgYMxLTArBgNVBAMTJDNDM0U4MDRELTU5QTYtNDlCRi04MkU3
LTJBMTFFMEZDMDkzNjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
EwlDdXBlcnRpbm8xEzARBgNVBAoTCkFwcGxlIEluYy4xDzANBgNVBAsTBmlQaG9u
ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqVEaqL9/FgLcalnSRqZj6Ngl
4kJ3FqLEyBxluHr83bosAEdKg2fJBn0A1Mp2/A2h4XVt1+/qUFH9eHRY/qUiZLl4
0eyukRcHmNu0nyo9WDE68VcQ8HP82yvL+rS7kB/u1ojUVaCwTFGFyf5f+vkHlpkz
9CEjc44gfqYAswzVQzkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAGjtJwvvNqV0
7Ih8XURC+rMGdEoND4ua5UJDfnx5BX40upqPbP0iEaUfjE74n55Zem5Fs6LwDy26
TktiKKejZfK/E/3TVySElxeZltOu0cn13YdAcgPIDC4B4Akcn3pGWeFldk1k+08i
Id12Hgfb9tbdZUxisvMV7dug+mbbkkfj
-----END CERTIFICATE REQUEST-----

上面的1024位CSR匹配下面的2048位私鑰:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIvDmH6zgXQngCAggA
MBQGCCqGSIb3DQMHBAiYfHVS67eUUgSCBMitdJuAxzNL/MmjQC9/5oECX3glXWtj
nCekkFS4rAheu4iszqmiRbRnuUFeSwV28oOyVBzK3XSBQbyxEIG82vNcPBfTImUa
7YUX2ebVXcv1WV5ZpJ4RIP1yIgX7BeBWJInFjIIOR7shjADt+368wdBpdqheafQ9
orxxpIg+v9vsbZV/ho2zEfO1lwhX6J5ErLBvpHscg0woFh7RUtcNpvkjSp/edvsC
CVhcO9I4NzVtgYPfYT5qFFQ6zqf6p+vscvZDjOMTl+awY31JEbFAXBzPq/buf5pb
x6nOxOCC8vfLTtF/EhZ6rUAmyqWWo3gqKaSL3ulzkZvByg4kmtoU2U6UhTIUeJy3
+nV87wryEgIXysPRb7znfFVO1BeGA+xw5cOF9pL4/IWlikqOpJNPShYtRzkjUUJQ
Gt104d90lVheqqW598HQpF2nLL/s7kYbiBLpFmcxEcjEi119oFRYrd5qs1CNjA5i
f3yLJqtKIDoZe7H6AJNnJeun7vJFwB0j/CrDV74omSvQVb0zXrg9Sk6VHn62O28Y
iESyNgkaQ9aLa/xBMMEtCb1nv0dlLbbbFAlrQZVRc1VEyPunNn4u1crV60LHuHo/
oagvfPQQJoiCL+pBxPsHc4OU4Iq7hhDvJ2Eo9ldhERmWZUxDEcZLpIzro4gkav8U
lGgIFdHtYl8DNVRZXeQ2NPw6qe7OTVjqnB1MbvWpbNBAwru7wVbtHVQAI4Bt6V7W
x0TrIW4SKuO7D3bzm444kEmAMMAZ5II54zr+p2zf31KQUHO8U/xgshSmdQzcJ5G4
jztPBbihXqRClL98BRVfCIcRKGQbhrVlRXoj9rDtQaPpQioYOlwJ40Yhk22n8UCy
fNQVAWmP3lRl8M0kyChOGTchqQEFROO3Ur4OP0tRTKkO53mg/TDFSuZKQBKErryM
ICeHIeWoZ1wNyiTTgXZn3Lcwdb5HT8jW8ySJL68bkQ7tBzJEjrWG2PkL5/CBLrRm
xNTNmZ4U8KiHKKtPCFbhARJRM1iVXZIKc3/zONlaSycikb7cew+zFMP3WwBmyEoT
bmfIbkhJ94D45hwAzxw7iXAlzwG1ZHLDrSdWQe5IEaAD+QyZC13NPO/LIg5G8s5t
TdyDdyKieE/BIFx67mx8sf3v6JhLyzL1O+iMBB/wrEUG6AorRUYIqGcZ1maoTqoK
/p0lOxqm+V3TnDHbGkK+l/IRkM1rUPSnkVbTmNm/zf+OvyHYPtcCA+bmdSJtOcsd
fEWkkMXGy53K7/1lar/Vj9UwzTND+QnV5mWJ5MmOQ3t95hx7IcesXRWUQAHubPki
j8Rvpleu+ObxrAsXejhqG1DlDffrkZE/v3cHqWVsjnJcXsPpDScmR+fyXdXlyMEj
GBlPP4W0ker9z9GUN3d7B2A6GYzWGhHT6MnRAcohYzq4uee82lcc06dy3FNDLNZE
d/QfQEfdEKIw1IDD+u/oHliUPLjQCEIlQU651OW52XhkdhJj9ya8Al54t6qv8m9K
GLFVQlbS941A/Sr9tS82kYamaf9yjcq0s6ScRVH2KFYxCZhZBZ/UcWqeqRWYtjeK
miz3tr9pK4pbyXa7qpekgmybw8R18+cqfr1y6AMmdJpqDEzkDK6n/4HiKN40/3se
ReM=
-----END ENCRYPTED PRIVATE KEY-----

可以驗證此CSR +密鑰是否與此匹配:

https://www.sslshopper.com/certificate-key-matcher.html

這怎麼可能,如何通過這個私鑰製作這樣的CSR?


2
2017-08-26 07:01


起源


您無法從2048位私鑰創建1024位公鑰。私鑰包含足夠的信息來恢復公鑰,但它將是相同的2048位密鑰。
@ Crypt32我不需要公鑰。問題是如何使用2048位私鑰生成1024位證書請求
@Cyborg CSR只是您的公鑰,捆綁了一些身份信息,如電子郵件證書的全名和電子郵件地址,或TLS證書的服務器域名。如果您有一個2048位密鑰對並且想要為其創建CSR,則該CSR將包含2048位公鑰。這就是它的工作原理。 - Spiff
@ Crypt32我認為直到我看到1024位CSR與2048位私鑰匹配才有可能。請通過CSR + Key查看我的更新問題。 - Cyborg
請提供密鑰的密碼,以便我們向您展示正在發生的事情。我懷疑它的缺點是,公鑰有兩個參數: {n,e};而你的私鑰有三個參數 {n,e,d} (來自PKCS#1的簡短形式)或八個參數 {n,e,d,q,p,dp,dq,qinv} (具有來自PKCS#1的CRT參數的長格式)。 e 很小,但是 d 和...一樣大 n 所以 {n,e,d} 使原始“字節大小”看起來是公鑰的兩倍。 - jww


答案:


當您認為這些CSR包含與2048位密鑰對的指紋匹配的1024位公鑰時,您一定是錯誤的。

生成密鑰對時,對中的兩個密鑰總是相同的長度。加密算法不會起作用。

生成密鑰對後,一個密鑰被視為私鑰,一個密鑰被視為公鑰。公鑰是進入證書籤名請求並成為證書一部分的公鑰。

無法基於2048位私鑰為CSR創建1024位公鑰。你的2048位私鑰有 唯一的一個 它使用的公鑰,該密鑰也是2048位。它不會以任何其他方式工作。

沒有人創建公鑰加密算法,它允許您生成多個不同密鑰長度的公鑰,這些公鑰都使用相同的私鑰。

如果由於某種奇怪的原因,您的CSR實際上必須限制為1024位公鑰,那麼您必須生成一個新的1024位密鑰對並使用它來代替您的2048位密鑰對。


2
2017-08-27 03:47



請參閱我的更新問題,在那裡您可以看到1024位CSR匹配2048位私鑰。 - Cyborg


看起來你正在使用兩個不同的鍵。當你準備你的請求時,我猜你在某個地方劃過電線。

如果我們使用您的私鑰並將其轉換為公鑰,那麼我們可以看到私鑰中的模數(以及我們轉換的公鑰)與CSR請求中的模數不匹配。這是轉換後的密鑰:

$ openssl rsa -in test-priv.pem -pubout -out test-pub.pem -outform PEM
$ openssl rsa -in test-pub.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:df:67:e1:83:d9:e8:7e:b9:ec:7e:93:04:87:3f:
    23:b9:f4:3d:e3:8c:fb:2e:2c:bb:0c:b6:20:6b:43:
    b5:a0:8d:7f:5d:5f:6d:f0:b9:7a:91:d3:b7:ab:7e:
    2c:5d:09:1b:bb:18:1b:db:0e:85:ea:29:8e:10:8e:
    6f:a3:7f:8c:54:65:c2:54:ad:93:a4:51:c9:77:52:
    e3:b8:15:60:5e:ab:94:1b:f1:c4:03:f1:78:34:63:
    42:bf:2b:97:41:ca:fa:3e:8d:0d:bb:2a:24:93:14:
    0c:85:91:32:46:e0:6f:ac:d8:af:16:8f:41:ff:22:
    8f:56:d8:f1:18:96:47:28:0b:92:5e:1a:00:dc:02:
    a7:a5:86:40:70:70:9d:a0:92:0c:6c:22:d9:ba:3a:
    ca:ca:22:c5:9c:9c:6d:0d:1a:cd:0e:e3:82:dd:42:
    b9:86:7b:54:65:22:bd:cf:e2:f6:c4:d1:ff:00:5a:
    83:ce:ed:01:ff:66:99:99:47:a5:eb:37:2e:d4:28:
    a3:b4:e9:8f:32:58:16:4b:12:5a:66:a7:c4:da:86:
    b8:de:4b:f3:6a:de:00:51:a5:5e:0e:d3:a5:52:37:
    d9:34:b3:af:42:37:b2:82:4f:c9:ec:07:18:c5:92:
    e0:65:6b:25:9b:53:9e:31:d1:60:bc:96:8d:cd:93:
    41:1b
Exponent: 65537 (0x10001)

以下是以人類可讀形式轉儲的CSR和私鑰。


這是您的CSR:

$ openssl req -in test-csr.pem -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=3C3E804D-59A6-49BF-82E7-2A11E0FC0936, C=US, ST=CA, L=Cupertino, O=Apple Inc., OU=iPhone
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:51:1a:a8:bf:7f:16:02:dc:6a:59:d2:46:a6:
                    63:e8:d8:25:e2:42:77:16:a2:c4:c8:1c:65:b8:7a:
                    fc:dd:ba:2c:00:47:4a:83:67:c9:06:7d:00:d4:ca:
                    76:fc:0d:a1:e1:75:6d:d7:ef:ea:50:51:fd:78:74:
                    58:fe:a5:22:64:b9:78:d1:ec:ae:91:17:07:98:db:
                    b4:9f:2a:3d:58:31:3a:f1:57:10:f0:73:fc:db:2b:
                    cb:fa:b4:bb:90:1f:ee:d6:88:d4:55:a0:b0:4c:51:
                    85:c9:fe:5f:fa:f9:07:96:99:33:f4:21:23:73:8e:
                    20:7e:a6:00:b3:0c:d5:43:39
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
         68:ed:27:0b:ef:36:a5:74:ec:88:7c:5d:44:42:fa:b3:06:74:
         4a:0d:0f:8b:9a:e5:42:43:7e:7c:79:05:7e:34:ba:9a:8f:6c:
         fd:22:11:a5:1f:8c:4e:f8:9f:9e:59:7a:6e:45:b3:a2:f0:0f:
         2d:ba:4e:4b:62:28:a7:a3:65:f2:bf:13:fd:d3:57:24:84:97:
         17:99:96:d3:ae:d1:c9:f5:dd:87:40:72:03:c8:0c:2e:01:e0:
         09:1c:9f:7a:46:59:e1:65:76:4d:64:fb:4f:22:21:dd:76:1e:
         07:db:f6:d6:dd:65:4c:62:b2:f3:15:ed:db:a0:fa:66:db:92:
         47:e3

這是你的私鑰。它的“長形”來自 PKCS#1。它包括的參數 中國剩餘定理(CRT)

$ openssl rsa -in test-priv.pem -text -noout
Enter pass phrase for test-pk.pem:
Private-Key: (2048 bit)
modulus:
    00:df:67:e1:83:d9:e8:7e:b9:ec:7e:93:04:87:3f:
    23:b9:f4:3d:e3:8c:fb:2e:2c:bb:0c:b6:20:6b:43:
    b5:a0:8d:7f:5d:5f:6d:f0:b9:7a:91:d3:b7:ab:7e:
    2c:5d:09:1b:bb:18:1b:db:0e:85:ea:29:8e:10:8e:
    6f:a3:7f:8c:54:65:c2:54:ad:93:a4:51:c9:77:52:
    e3:b8:15:60:5e:ab:94:1b:f1:c4:03:f1:78:34:63:
    42:bf:2b:97:41:ca:fa:3e:8d:0d:bb:2a:24:93:14:
    0c:85:91:32:46:e0:6f:ac:d8:af:16:8f:41:ff:22:
    8f:56:d8:f1:18:96:47:28:0b:92:5e:1a:00:dc:02:
    a7:a5:86:40:70:70:9d:a0:92:0c:6c:22:d9:ba:3a:
    ca:ca:22:c5:9c:9c:6d:0d:1a:cd:0e:e3:82:dd:42:
    b9:86:7b:54:65:22:bd:cf:e2:f6:c4:d1:ff:00:5a:
    83:ce:ed:01:ff:66:99:99:47:a5:eb:37:2e:d4:28:
    a3:b4:e9:8f:32:58:16:4b:12:5a:66:a7:c4:da:86:
    b8:de:4b:f3:6a:de:00:51:a5:5e:0e:d3:a5:52:37:
    d9:34:b3:af:42:37:b2:82:4f:c9:ec:07:18:c5:92:
    e0:65:6b:25:9b:53:9e:31:d1:60:bc:96:8d:cd:93:
    41:1b
publicExponent: 65537 (0x10001)
privateExponent:
    00:87:8c:ac:14:28:1f:1c:e5:0a:4d:32:3e:c9:20:
    d2:38:7d:ad:1f:67:e6:ef:79:4c:74:c5:fc:9d:98:
    93:97:3a:c3:50:90:1a:50:b8:f9:59:89:b0:23:69:
    86:d9:5c:31:6b:2f:91:97:34:14:a4:a3:5a:03:49:
    a9:0a:f6:d4:da:50:73:bc:95:24:c3:ca:ac:06:ae:
    50:64:dc:f3:7f:fd:72:fc:11:90:f1:23:8d:df:9b:
    6a:60:3b:be:a6:b8:d5:65:26:88:72:4b:7b:ad:91:
    b8:97:42:25:d3:43:51:fe:f9:ea:22:32:01:c5:1f:
    df:00:be:d8:6a:26:a4:3d:f2:c5:43:06:5d:54:75:
    f3:08:87:24:07:41:c2:4e:12:23:70:85:ba:64:cc:
    64:25:72:95:57:85:53:b7:9c:0b:f2:68:c8:a9:9f:
    e0:f2:1a:0d:cb:aa:97:cd:c1:82:45:8e:8c:8a:fd:
    26:da:79:19:26:2d:d3:37:3e:f0:36:1a:65:aa:f4:
    70:23:2d:1d:40:07:7a:51:4f:00:80:91:b1:60:8f:
    2d:ae:69:35:41:d4:41:a7:3d:45:19:b8:81:9e:30:
    58:90:44:1b:e6:00:bd:5a:1e:99:72:35:61:c2:af:
    a0:b3:d1:dd:e8:e4:50:30:b1:89:6c:6a:75:6f:b5:
    70:21
prime1:
    00:ef:d7:79:91:22:83:ad:a8:e8:66:e6:65:c0:bd:
    0d:b5:bd:85:51:1e:1a:e0:7a:c0:12:17:1b:02:a0:
    67:05:3a:41:14:9e:12:96:5b:0d:1a:b8:8a:aa:64:
    62:6d:ab:11:f2:55:99:45:22:9c:6a:9c:dc:27:28:
    66:c6:84:f3:94:43:9c:07:d4:90:db:74:c6:b7:39:
    0d:e6:d4:c1:4c:dd:75:90:15:59:e2:de:bd:a6:ff:
    35:b9:2a:51:f6:b1:93:5c:92:5d:ca:43:d2:d7:85:
    ea:9c:76:f8:ec:92:1f:10:f2:72:33:1d:13:19:3b:
    b7:8c:cc:37:08:1c:06:69:57
prime2:
    00:ee:74:f0:01:f3:9f:6d:5d:81:d3:fc:b4:4c:ef:
    bf:0b:15:41:4c:13:98:81:69:1e:b2:bc:43:41:65:
    50:1f:9a:67:97:ec:78:26:24:e5:61:52:33:c6:85:
    bc:20:17:17:ab:78:24:32:99:0d:7b:f6:b9:5b:ab:
    58:e1:52:fc:1e:2c:91:11:df:cc:32:61:93:c6:e5:
    a9:ff:bd:8f:b9:41:54:f3:22:28:4c:e3:ee:43:c5:
    59:22:7d:c5:91:89:45:db:44:bf:a8:1a:40:e2:55:
    22:ff:75:86:c4:e8:d7:0f:ef:7e:05:a9:1d:5c:6b:
    da:76:e9:0f:72:92:58:97:dd
exponent1:
    65:53:fb:a0:3d:9c:b4:39:b0:36:09:10:e4:24:fb:
    2d:d5:2c:05:e1:5a:29:8c:b2:a8:f1:ea:0f:6a:05:
    1c:48:48:46:95:a1:f4:b3:f3:0d:5e:f9:f6:93:02:
    a2:a2:ab:aa:5e:4f:aa:cd:bc:97:ae:3d:b4:ad:74:
    fe:5a:1d:2e:7e:81:e5:2d:01:26:36:67:dd:f0:d4:
    d6:b8:fc:11:a5:5e:8d:c8:f7:78:c9:f2:06:23:bc:
    66:c6:62:6a:7f:0b:6b:08:cb:67:30:d0:5b:0d:d0:
    d8:d9:ca:c0:e7:db:08:25:e5:e9:82:57:17:4a:0b:
    7a:08:ad:17:57:ff:bd:71
exponent2:
    35:c5:14:a1:bc:07:c5:27:82:b1:04:98:bb:88:8c:
    31:b9:97:41:ca:61:67:3d:06:f9:12:ce:af:9e:62:
    d4:dd:82:62:95:a5:fa:23:f3:bd:60:45:e0:8c:23:
    81:b0:f3:5b:6c:f9:ec:96:ea:9d:7b:63:0c:b2:b4:
    96:0a:9a:63:4b:75:62:ec:6e:25:26:2f:a6:77:ff:
    3f:75:c5:44:e6:e0:7a:fa:c6:cf:9f:ce:08:66:25:
    d5:4b:3b:13:b8:3a:92:59:0c:46:a1:b4:e3:d4:82:
    d1:cb:f4:99:ce:4f:40:7e:a6:92:2c:32:3c:b6:ed:
    4a:46:ff:7e:bc:55:51:d9
coefficient:
    00:9d:c7:09:74:a6:f6:f7:8a:2d:2c:d6:dd:32:ef:
    45:ef:be:06:e5:57:67:55:03:9a:87:a2:38:e5:86:
    5f:b1:4f:6a:cb:72:db:e2:a7:95:e4:e0:40:54:67:
    92:8e:20:dd:9a:02:59:7f:6f:ef:70:45:77:8b:48:
    25:68:1a:00:a3:60:23:5f:5e:41:e9:68:0c:68:fc:
    0a:42:a4:56:a8:29:ad:de:c9:8c:eb:b9:df:f6:00:
    ef:aa:e0:5a:06:72:54:80:9d:e0:ca:f4:d0:34:30:
    4d:4c:0e:d7:9c:e0:29:e2:b8:4d:be:a7:9a:39:15:
    fb:b7:5e:15:fa:18:44:f3:2a

OpenSSL如何從2048位私鑰生成1024位CSR?

要回答公開的名義問題,你不能。

您可以將不同的密鑰大小與鏈中的證書相關聯。例如,根CA可能具有4096位密鑰,用於證明2048位終端實體/服務器服務器證書。該標準甚至已經放寬,因此您可以獲得證明RSA證書的EC證書。


1
2017-08-27 15:33



如果我理解正確:你的意思是多個RSA密鑰,如: 4096bit-priv.pem, 2048bit-priv.pem 和 1024bit-priv.pem 可以有相同的指紋?並且如上所述生成CSR我需要 1024bit-priv.pem 我們已經擁有相同的指紋 test-priv.pem ? - Cyborg
“4096bit-priv.pem,2048bit-priv.pem和1024bit-priv.pem可以有相同的指紋...”  - 嗯,他們可以,但它非常不可能。實際上,你會發現哈希上的衝突。另見 計算SHA-1哈希衝突。所需要的只是五個聰明的大腦......以及6,610年的處理器時間。 “我需要帶有相同指紋的1024bit-priv.pem?”  - 我不相信。 CA將使用您的名稱和公鑰,將它們打包到X.509證書中,並簽署證書以對其進行認證。 - jww
要明確的是,這就是證書的全部內容。它將公鑰綁定到身份。我已經看到很多非常糟糕的解釋,所以不要一邊追踪。指紋是一個關鍵標識符,用於加速路徑建立; 又名 “驗證鏈”。如果您想了解血腥細節,請參閱RFC 4158, Internet X.509公鑰基礎結構:認證路徑構建。 - jww