如何使用 Openssl 制作自签名 RSA_PSS_RSAE 证书

Question

I would like to make Certificate like following. rsassaPss as Signature Algorithm and rsaEncryption as Public Key Algorithm.

Certificate:
    Data:
        Version: 3 (0x2)
        ....
    Signature Algorithm: rsassaPss
         Hash Algorithm: sha1 (default)
         Mask Algorithm: mgf1 with sha1 (default)
         Salt Length: 20 (default)
         Trailer Field: 0xbc (default)
        ....
        Subject: .....
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            .....

I tried followings, but both result same.

1

openssl genpkey -algorithm RSA-PSS -out test1\ca2.key.pem -pkeyopt rsa_pss_keygen_md:sha1 -pkeyopt rsa_pss_keygen_mgf1_md:sha1 -pkeyopt rsa_pss_keygen_saltlen:20
openssl req -x509 -new -nodes -key test1\ca2.key.pem -days 1024 -out test1\ca2.crt.pem 

2

openssl req -new -newkey rsa-pss -pkeyopt rsa_keygen_bits:2048 -sigopt  rsa_mgf1_md:sha256 -passout pass:123456 -sha256
openssl x509 -req -in test3\rootreq.pem -passin pass:123456 -sha256 -days 14600 -extensions v3_cn -signkey test3\rootkey.pem -out test3\rootcert.pem 

Can anyone help me?

Answer 1

To get what you show, create the keyfile as v1.5 but sign the cert with PSS. For a self-signed cert:

# in separate steps either of
openssl genrsa 2048 >keyfile 
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 >keyfile
# in either case add encryption if desired; your Q is inconsistent about that

# then
openssl req -new -x509 -key keyfile -sigopt rsa_padding_mode:pss -sha1 -sigopt rsa_pss_saltlen:20 -out certfile
# add options for subject, days, extensions, or other config as desired
# for 1.0.0 & 1.0.1 -sha1 was default for hash and can be omitted;
# in all versions MGF1 hash defaults to data hash
# but saltlen defaults to 0xEA -- I'm not sure why -- and must be set

# in one step
openssl req -new -x509 -newkey rsa:2048 -keyout keyfile -sigopt rsa_padding_mode:pss -sha1 -sigopt rsa_pss_saltlen:20 -out certfile

That said, I mostly agree with Matt's comment; this is not necessarily what you need for a TLS1.3 rsa_pss_rsae signature, if that's your actual goal. First, the signature on a self-signed, root or other anchor cert doesn't contribute to security at all and usually isn't even checked; RFC8446 4.2.3 explicitly allows that signature to not satisfy sigalgs. (Although I think this is a mistake; given the rest of the spec, it would make more sense to excuse it from sigalgs or sigalgs_cert whichever applies.)

Second, if this were a signature that matters -- on a cert issued by a (distinct) CA, which OpenSSL can also do if you want, but differently -- then using SHA-1 would be very bad. RFC8446 allows cert signatures to use SHA-1 only as a last resort -- for any publickey algorithm (RSAv1.5, RSA-PSS, ECDSA, EdDSA) -- and some implementations do not trust certs using them ever following 'shattered' and now 'shambles' (google, or look at crypto.SX and security.SX for details).