OpenSSL can generate several kinds of public/private keypairs. RSA is the most common kind of keypair generation. Other popular ways of generating RSA public key / private key pairs.

From lxadm Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

Generating 1024 bit DKIM key


To generate a DKIM key with openssl, do the following - this will generate you a 1024 bit DKIM key:

Your generated public key will remind something like below:

If you need to supply the public.key in the DNS record as follows, you have to 'convert' it manually to be in one line, i.e.:

In bind/named compatible format, it will look like below TXT record:

Generating 2048 bit DKIM key

Please note that you may want to use a 2048 bit DKIM key - in this case, use the following openssl commands:

However, 2048 bit public DKIM key is too long to fit into one single TXT record - which can be up to 255 characters. Assuming your full public key is as follows:

Rsa Public Key Example need to split the text field into parts having 255 characters or less:

There are several limitations to 2048 bit DKIM records:

  • While bind/named supports TXT fields being split into several parts, some DNS hostings may still not support it.
  • If the total size of the DNS record is larger than 512 bytes, it will be sent over TCP, not UDP. Some buggy firewalls may not permit DNS packets over TCP.
Retrieved from ''
If you're using openssl_pkey_new() in conjunction with openssl_csr_new() and want to change the CSR digest algorithm as well as specify a custom key size, the configuration override should be defined once and sent to both functions:
= array(
'digest_alg' => 'sha1',
'private_key_bits' => 2048,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
$privkey = openssl_pkey_new($config);
$csr = openssl_csr_new($dn, $privkey, $config);

Although openssl_pkey_new() will accept the 'digest_alg' argument it won't use it, and setting the value has no effect unless you also set this value for openssl_csr_new(). The reason for this is that the $config array is acting as a drop-in replacement for the values found in the openssl.cnf file, so it must contain all of the override values that you need even if the function they're being sent to won't use them.
Also, if you change the 'digest_alg' to something like 'sha256' and still get an MD5 signed CSR check your openssl.cnf file to see whether the digest algorithm you want to use is actually supported.
Coments are closed
Scroll to top