OpenSSL how to generate 1024 bits CSR from a 2048 bits Private Key?

Question

I have a 2048 bits RSA privateKey.pem and I see it has already generated few 1024 bits certificate requests starting:

-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----

I thought it was not possible to generate 1024 bits certificates from a 2048 bits private key. So I got confirmed here: sslshopper and verified that both the 2048 bits key and 1024 bits CSR have same fingerprint (hash value).

How can I in OpenSSL generate 1024 bits CSR from 2048 bits privateKey.pem ?

I have tried:

openssl req -out CSRequest.pem 1024 -key privateKey.pem -new
openssl req -config csr.cnf -out CSRequest.pem -key privateKey.pem -new

In csr.cnf file I tried:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 1024

But it still generates 2048 bits certificate requests. How can I get 1024 bits CSR from this privateKey.pem? Any help is highly appreciated.

UPDATED: Here you can see the 1024 bit CSR I want from the 2048 bit RSA Private Key below:

-----BEGIN CERTIFICATE REQUEST-----
MIIBxDCCAS0CAQAwgYMxLTArBgNVBAMTJDNDM0U4MDRELTU5QTYtNDlCRi04MkU3
LTJBMTFFMEZDMDkzNjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
EwlDdXBlcnRpbm8xEzARBgNVBAoTCkFwcGxlIEluYy4xDzANBgNVBAsTBmlQaG9u
ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqVEaqL9/FgLcalnSRqZj6Ngl
4kJ3FqLEyBxluHr83bosAEdKg2fJBn0A1Mp2/A2h4XVt1+/qUFH9eHRY/qUiZLl4
0eyukRcHmNu0nyo9WDE68VcQ8HP82yvL+rS7kB/u1ojUVaCwTFGFyf5f+vkHlpkz
9CEjc44gfqYAswzVQzkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAGjtJwvvNqV0
7Ih8XURC+rMGdEoND4ua5UJDfnx5BX40upqPbP0iEaUfjE74n55Zem5Fs6LwDy26
TktiKKejZfK/E/3TVySElxeZltOu0cn13YdAcgPIDC4B4Akcn3pGWeFldk1k+08i
Id12Hgfb9tbdZUxisvMV7dug+mbbkkfj
-----END CERTIFICATE REQUEST-----

The 1024 bits CSR above matches the 2048 bits Private key below:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIvDmH6zgXQngCAggA
MBQGCCqGSIb3DQMHBAiYfHVS67eUUgSCBMitdJuAxzNL/MmjQC9/5oECX3glXWtj
nCekkFS4rAheu4iszqmiRbRnuUFeSwV28oOyVBzK3XSBQbyxEIG82vNcPBfTImUa
7YUX2ebVXcv1WV5ZpJ4RIP1yIgX7BeBWJInFjIIOR7shjADt+368wdBpdqheafQ9
orxxpIg+v9vsbZV/ho2zEfO1lwhX6J5ErLBvpHscg0woFh7RUtcNpvkjSp/edvsC
CVhcO9I4NzVtgYPfYT5qFFQ6zqf6p+vscvZDjOMTl+awY31JEbFAXBzPq/buf5pb
x6nOxOCC8vfLTtF/EhZ6rUAmyqWWo3gqKaSL3ulzkZvByg4kmtoU2U6UhTIUeJy3
+nV87wryEgIXysPRb7znfFVO1BeGA+xw5cOF9pL4/IWlikqOpJNPShYtRzkjUUJQ
Gt104d90lVheqqW598HQpF2nLL/s7kYbiBLpFmcxEcjEi119oFRYrd5qs1CNjA5i
f3yLJqtKIDoZe7H6AJNnJeun7vJFwB0j/CrDV74omSvQVb0zXrg9Sk6VHn62O28Y
iESyNgkaQ9aLa/xBMMEtCb1nv0dlLbbbFAlrQZVRc1VEyPunNn4u1crV60LHuHo/
oagvfPQQJoiCL+pBxPsHc4OU4Iq7hhDvJ2Eo9ldhERmWZUxDEcZLpIzro4gkav8U
lGgIFdHtYl8DNVRZXeQ2NPw6qe7OTVjqnB1MbvWpbNBAwru7wVbtHVQAI4Bt6V7W
x0TrIW4SKuO7D3bzm444kEmAMMAZ5II54zr+p2zf31KQUHO8U/xgshSmdQzcJ5G4
jztPBbihXqRClL98BRVfCIcRKGQbhrVlRXoj9rDtQaPpQioYOlwJ40Yhk22n8UCy
fNQVAWmP3lRl8M0kyChOGTchqQEFROO3Ur4OP0tRTKkO53mg/TDFSuZKQBKErryM
ICeHIeWoZ1wNyiTTgXZn3Lcwdb5HT8jW8ySJL68bkQ7tBzJEjrWG2PkL5/CBLrRm
xNTNmZ4U8KiHKKtPCFbhARJRM1iVXZIKc3/zONlaSycikb7cew+zFMP3WwBmyEoT
bmfIbkhJ94D45hwAzxw7iXAlzwG1ZHLDrSdWQe5IEaAD+QyZC13NPO/LIg5G8s5t
TdyDdyKieE/BIFx67mx8sf3v6JhLyzL1O+iMBB/wrEUG6AorRUYIqGcZ1maoTqoK
/p0lOxqm+V3TnDHbGkK+l/IRkM1rUPSnkVbTmNm/zf+OvyHYPtcCA+bmdSJtOcsd
fEWkkMXGy53K7/1lar/Vj9UwzTND+QnV5mWJ5MmOQ3t95hx7IcesXRWUQAHubPki
j8Rvpleu+ObxrAsXejhqG1DlDffrkZE/v3cHqWVsjnJcXsPpDScmR+fyXdXlyMEj
GBlPP4W0ker9z9GUN3d7B2A6GYzWGhHT6MnRAcohYzq4uee82lcc06dy3FNDLNZE
d/QfQEfdEKIw1IDD+u/oHliUPLjQCEIlQU651OW52XhkdhJj9ya8Al54t6qv8m9K
GLFVQlbS941A/Sr9tS82kYamaf9yjcq0s6ScRVH2KFYxCZhZBZ/UcWqeqRWYtjeK
miz3tr9pK4pbyXa7qpekgmybw8R18+cqfr1y6AMmdJpqDEzkDK6n/4HiKN40/3se
ReM=
-----END ENCRYPTED PRIVATE KEY-----

This CSR + Key can be verified that they match here:

https://www.sslshopper.com/certificate-key-matcher.html

How is this possible, How can I make CSR like this from this Private Key?

Answer 1

You must have been mistaken when you thought those CSRs contained a 1024-bit public key that matched the fingerprint of a 2048-bit key pair.

When you generate a key pair, both keys in the pair are always the same length. The crypto algorithms wouldn't work otherwise.

After generating a key pair, one key is deemed the private key, and one is deemed the public key. The public key is the one that goes into your Certificate Signing Request and becomes part of your certificate.

There's no way to create a 1024-bit public key for your CSR based on a 2048-bit private key. Your 2048-bit private key has one and only one public key that it works with, and that key is also 2048 bits. It wouldn't work any other way.

No one has created a public key crypto algorithm that lets you generate multiple public keys of varying key lengths that all work with the same private key.

If for some odd reason your CSR really must be limited to a 1024-bit public key, then you must generate a new 1024-bit key pair and use that instead of your 2048-bit key pair.

Answer 2

It looks like you are using two different keys. I'm guessing you crossed your wires somewhere along the lines when you were preparing your request.

If we take your private key and convert it to a public key, then we can see the modulus in the private key (and public key we converted) does not match the modulus in the CSR request. Here is the converted key:

$ openssl rsa -in test-priv.pem -pubout -out test-pub.pem -outform PEM
$ openssl rsa -in test-pub.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:df:67:e1:83:d9:e8:7e:b9:ec:7e:93:04:87:3f:
    23:b9:f4:3d:e3:8c:fb:2e:2c:bb:0c:b6:20:6b:43:
    b5:a0:8d:7f:5d:5f:6d:f0:b9:7a:91:d3:b7:ab:7e:
    2c:5d:09:1b:bb:18:1b:db:0e:85:ea:29:8e:10:8e:
    6f:a3:7f:8c:54:65:c2:54:ad:93:a4:51:c9:77:52:
    e3:b8:15:60:5e:ab:94:1b:f1:c4:03:f1:78:34:63:
    42:bf:2b:97:41:ca:fa:3e:8d:0d:bb:2a:24:93:14:
    0c:85:91:32:46:e0:6f:ac:d8:af:16:8f:41:ff:22:
    8f:56:d8:f1:18:96:47:28:0b:92:5e:1a:00:dc:02:
    a7:a5:86:40:70:70:9d:a0:92:0c:6c:22:d9:ba:3a:
    ca:ca:22:c5:9c:9c:6d:0d:1a:cd:0e:e3:82:dd:42:
    b9:86:7b:54:65:22:bd:cf:e2:f6:c4:d1:ff:00:5a:
    83:ce:ed:01:ff:66:99:99:47:a5:eb:37:2e:d4:28:
    a3:b4:e9:8f:32:58:16:4b:12:5a:66:a7:c4:da:86:
    b8:de:4b:f3:6a:de:00:51:a5:5e:0e:d3:a5:52:37:
    d9:34:b3:af:42:37:b2:82:4f:c9:ec:07:18:c5:92:
    e0:65:6b:25:9b:53:9e:31:d1:60:bc:96:8d:cd:93:
    41:1b
Exponent: 65537 (0x10001)

Below is the CSR and Private key dumped in a human readable form.

---

Here is your CSR:

$ openssl req -in test-csr.pem -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=3C3E804D-59A6-49BF-82E7-2A11E0FC0936, C=US, ST=CA, L=Cupertino, O=Apple Inc., OU=iPhone
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:51:1a:a8:bf:7f:16:02:dc:6a:59:d2:46:a6:
                    63:e8:d8:25:e2:42:77:16:a2:c4:c8:1c:65:b8:7a:
                    fc:dd:ba:2c:00:47:4a:83:67:c9:06:7d:00:d4:ca:
                    76:fc:0d:a1:e1:75:6d:d7:ef:ea:50:51:fd:78:74:
                    58:fe:a5:22:64:b9:78:d1:ec:ae:91:17:07:98:db:
                    b4:9f:2a:3d:58:31:3a:f1:57:10:f0:73:fc:db:2b:
                    cb:fa:b4:bb:90:1f:ee:d6:88:d4:55:a0:b0:4c:51:
                    85:c9:fe:5f:fa:f9:07:96:99:33:f4:21:23:73:8e:
                    20:7e:a6:00:b3:0c:d5:43:39
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
         68:ed:27:0b:ef:36:a5:74:ec:88:7c:5d:44:42:fa:b3:06:74:
         4a:0d:0f:8b:9a:e5:42:43:7e:7c:79:05:7e:34:ba:9a:8f:6c:
         fd:22:11:a5:1f:8c:4e:f8:9f:9e:59:7a:6e:45:b3:a2:f0:0f:
         2d:ba:4e:4b:62:28:a7:a3:65:f2:bf:13:fd:d3:57:24:84:97:
         17:99:96:d3:ae:d1:c9:f5:dd:87:40:72:03:c8:0c:2e:01:e0:
         09:1c:9f:7a:46:59:e1:65:76:4d:64:fb:4f:22:21:dd:76:1e:
         07:db:f6:d6:dd:65:4c:62:b2:f3:15:ed:db:a0:fa:66:db:92:
         47:e3

And here is your private key. Its the "long form" from PKCS #1. It includes the parameters for the Chinese Remainder Theorem (CRT).

$ openssl rsa -in test-priv.pem -text -noout
Enter pass phrase for test-pk.pem:
Private-Key: (2048 bit)
modulus:
    00:df:67:e1:83:d9:e8:7e:b9:ec:7e:93:04:87:3f:
    23:b9:f4:3d:e3:8c:fb:2e:2c:bb:0c:b6:20:6b:43:
    b5:a0:8d:7f:5d:5f:6d:f0:b9:7a:91:d3:b7:ab:7e:
    2c:5d:09:1b:bb:18:1b:db:0e:85:ea:29:8e:10:8e:
    6f:a3:7f:8c:54:65:c2:54:ad:93:a4:51:c9:77:52:
    e3:b8:15:60:5e:ab:94:1b:f1:c4:03:f1:78:34:63:
    42:bf:2b:97:41:ca:fa:3e:8d:0d:bb:2a:24:93:14:
    0c:85:91:32:46:e0:6f:ac:d8:af:16:8f:41:ff:22:
    8f:56:d8:f1:18:96:47:28:0b:92:5e:1a:00:dc:02:
    a7:a5:86:40:70:70:9d:a0:92:0c:6c:22:d9:ba:3a:
    ca:ca:22:c5:9c:9c:6d:0d:1a:cd:0e:e3:82:dd:42:
    b9:86:7b:54:65:22:bd:cf:e2:f6:c4:d1:ff:00:5a:
    83:ce:ed:01:ff:66:99:99:47:a5:eb:37:2e:d4:28:
    a3:b4:e9:8f:32:58:16:4b:12:5a:66:a7:c4:da:86:
    b8:de:4b:f3:6a:de:00:51:a5:5e:0e:d3:a5:52:37:
    d9:34:b3:af:42:37:b2:82:4f:c9:ec:07:18:c5:92:
    e0:65:6b:25:9b:53:9e:31:d1:60:bc:96:8d:cd:93:
    41:1b
publicExponent: 65537 (0x10001)
privateExponent:
    00:87:8c:ac:14:28:1f:1c:e5:0a:4d:32:3e:c9:20:
    d2:38:7d:ad:1f:67:e6:ef:79:4c:74:c5:fc:9d:98:
    93:97:3a:c3:50:90:1a:50:b8:f9:59:89:b0:23:69:
    86:d9:5c:31:6b:2f:91:97:34:14:a4:a3:5a:03:49:
    a9:0a:f6:d4:da:50:73:bc:95:24:c3:ca:ac:06:ae:
    50:64:dc:f3:7f:fd:72:fc:11:90:f1:23:8d:df:9b:
    6a:60:3b:be:a6:b8:d5:65:26:88:72:4b:7b:ad:91:
    b8:97:42:25:d3:43:51:fe:f9:ea:22:32:01:c5:1f:
    df:00:be:d8:6a:26:a4:3d:f2:c5:43:06:5d:54:75:
    f3:08:87:24:07:41:c2:4e:12:23:70:85:ba:64:cc:
    64:25:72:95:57:85:53:b7:9c:0b:f2:68:c8:a9:9f:
    e0:f2:1a:0d:cb:aa:97:cd:c1:82:45:8e:8c:8a:fd:
    26:da:79:19:26:2d:d3:37:3e:f0:36:1a:65:aa:f4:
    70:23:2d:1d:40:07:7a:51:4f:00:80:91:b1:60:8f:
    2d:ae:69:35:41:d4:41:a7:3d:45:19:b8:81:9e:30:
    58:90:44:1b:e6:00:bd:5a:1e:99:72:35:61:c2:af:
    a0:b3:d1:dd:e8:e4:50:30:b1:89:6c:6a:75:6f:b5:
    70:21
prime1:
    00:ef:d7:79:91:22:83:ad:a8:e8:66:e6:65:c0:bd:
    0d:b5:bd:85:51:1e:1a:e0:7a:c0:12:17:1b:02:a0:
    67:05:3a:41:14:9e:12:96:5b:0d:1a:b8:8a:aa:64:
    62:6d:ab:11:f2:55:99:45:22:9c:6a:9c:dc:27:28:
    66:c6:84:f3:94:43:9c:07:d4:90:db:74:c6:b7:39:
    0d:e6:d4:c1:4c:dd:75:90:15:59:e2:de:bd:a6:ff:
    35:b9:2a:51:f6:b1:93:5c:92:5d:ca:43:d2:d7:85:
    ea:9c:76:f8:ec:92:1f:10:f2:72:33:1d:13:19:3b:
    b7:8c:cc:37:08:1c:06:69:57
prime2:
    00:ee:74:f0:01:f3:9f:6d:5d:81:d3:fc:b4:4c:ef:
    bf:0b:15:41:4c:13:98:81:69:1e:b2:bc:43:41:65:
    50:1f:9a:67:97:ec:78:26:24:e5:61:52:33:c6:85:
    bc:20:17:17:ab:78:24:32:99:0d:7b:f6:b9:5b:ab:
    58:e1:52:fc:1e:2c:91:11:df:cc:32:61:93:c6:e5:
    a9:ff:bd:8f:b9:41:54:f3:22:28:4c:e3:ee:43:c5:
    59:22:7d:c5:91:89:45:db:44:bf:a8:1a:40:e2:55:
    22:ff:75:86:c4:e8:d7:0f:ef:7e:05:a9:1d:5c:6b:
    da:76:e9:0f:72:92:58:97:dd
exponent1:
    65:53:fb:a0:3d:9c:b4:39:b0:36:09:10:e4:24:fb:
    2d:d5:2c:05:e1:5a:29:8c:b2:a8:f1:ea:0f:6a:05:
    1c:48:48:46:95:a1:f4:b3:f3:0d:5e:f9:f6:93:02:
    a2:a2:ab:aa:5e:4f:aa:cd:bc:97:ae:3d:b4:ad:74:
    fe:5a:1d:2e:7e:81:e5:2d:01:26:36:67:dd:f0:d4:
    d6:b8:fc:11:a5:5e:8d:c8:f7:78:c9:f2:06:23:bc:
    66:c6:62:6a:7f:0b:6b:08:cb:67:30:d0:5b:0d:d0:
    d8:d9:ca:c0:e7:db:08:25:e5:e9:82:57:17:4a:0b:
    7a:08:ad:17:57:ff:bd:71
exponent2:
    35:c5:14:a1:bc:07:c5:27:82:b1:04:98:bb:88:8c:
    31:b9:97:41:ca:61:67:3d:06:f9:12:ce:af:9e:62:
    d4:dd:82:62:95:a5:fa:23:f3:bd:60:45:e0:8c:23:
    81:b0:f3:5b:6c:f9:ec:96:ea:9d:7b:63:0c:b2:b4:
    96:0a:9a:63:4b:75:62:ec:6e:25:26:2f:a6:77:ff:
    3f:75:c5:44:e6:e0:7a:fa:c6:cf:9f:ce:08:66:25:
    d5:4b:3b:13:b8:3a:92:59:0c:46:a1:b4:e3:d4:82:
    d1:cb:f4:99:ce:4f:40:7e:a6:92:2c:32:3c:b6:ed:
    4a:46:ff:7e:bc:55:51:d9
coefficient:
    00:9d:c7:09:74:a6:f6:f7:8a:2d:2c:d6:dd:32:ef:
    45:ef:be:06:e5:57:67:55:03:9a:87:a2:38:e5:86:
    5f:b1:4f:6a:cb:72:db:e2:a7:95:e4:e0:40:54:67:
    92:8e:20:dd:9a:02:59:7f:6f:ef:70:45:77:8b:48:
    25:68:1a:00:a3:60:23:5f:5e:41:e9:68:0c:68:fc:
    0a:42:a4:56:a8:29:ad:de:c9:8c:eb:b9:df:f6:00:
    ef:aa:e0:5a:06:72:54:80:9d:e0:ca:f4:d0:34:30:
    4d:4c:0e:d7:9c:e0:29:e2:b8:4d:be:a7:9a:39:15:
    fb:b7:5e:15:fa:18:44:f3:2a

---

OpenSSL how to generate 1024 bits CSR from a 2048 bits Private Key?

To answer the open titular question, you can't.

You can have different key sizes associated with certificates in the chain. For example, a Root CA might have a 4096-bit key that certifies a 2048-bit end-entity/server server certificate. The standard has even been relaxed so you can have an EC certificate certifying a RSA certificate.