nhorman
commented
4 months ago Marking as inactive, to be closed at the end of 3.4 dev, barring further input
Open luizluca opened 6 years ago
nhorman
commented
4 months ago Marking as inactive, to be closed at the end of 3.4 dev, barring further input
Hello,
genpkey/genrsa allows to specify a different cipher for private key. However, "req -newkey" will always use 3des or none.
The code is here: https://github.com/openssl/openssl/blob/master/apps/req.c#L244 https://github.com/openssl/openssl/blob/master/apps/req.c#L661 https://github.com/openssl/openssl/blob/master/apps/req.c#L668
The "[ req ]" config encrypt_key is only used for setting as "no", equivalent to -nodes.
I would be interesting to have a parameter for settings a different cipher. Also, "encrypt_key" config entry (or a new one) could also be used for setting the default private key cipher.
Using genpkey + req with encrypted private keys will require the user to enter private key twice or storing it outside openssl. Both are not ideal.