Openssl Generate 4096 Bit Key
I'm trying to generate a 4096-bit DH key, but it has taken over 24 hours and the key is still trying to generate. Short cut key to generate return type eclipes. Can I make this faster?
Generate an unencrypted RSA private key: C:Opensslbinopenssl.exe genrsa -out Where: is the desired filename for the private key file is the desired key length of either 1024, 2048, or 4096; For example, type: C:Opensslbinopenssl.exe genrsa -out mykey.key 2048. Encrypted the. For these steps, you will need a command line shell with OpenSSL. Ideally, you should have a private key of your own and a public key from someone else. For demonstration, we will only use a single key pair. Generate Private Key. Run this command to generate a 4096-bit private key and output it to the private.pem file. If you like, you may.
2 Replies
You're probably not generating enough entropy on your guest. Try generating system activity, like writing to the disk.
You can also use a program like haveged. I won't speak of the security implications as that's a much more complicated subject, but you should know there could be some.
Diffie-Hellman keys can take a long time to generate because dhparam requires something known as a strong prime. Strong primes provide little to no security benefit but take a lot of effort to produce.
Instead, you should be using the -dsaparam option to decrease generation time by avoiding strong prime effort. Here's an example of that:
openssl dhparam -dsaparam -out dhparam2.pem 4096
You can read more about this in the following OpenSSL manpage where you'll find:
-dsaparam
If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, 'strong' primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.
DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.
There's some additional discussion on this topic here, as well:
https://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours
Common OpenSSL Commands with Keys and Certificates
Generate RSA private key with certificate in a single command
Generate Certificate Signing Request (CSR) from private key with passphrase
Generate RSA private key (2048 bit)
Generate a Certificate Signing Request (CSR)
Generate RSA private key (2048 bit) and a Certificate Signing Request (CSR) with a single command
Convert private key to PEM format
Generate a self-signed certificate that is valid for a year with sha256 hash
4096 Bit Encryption
View details of a RSA private key
Create Ssh Key 4096
View details of a CSR
View details of a Certificate
View details of a Certificate in DER format
