Table of Contents

Ubuntu - Certificates - Get the key length from a certificate

Using ssh-keygen

ssh-keygen -lf /etc/ssh/rsa_key.pub 

shows

2048 d1:cb:15:df:5d:44:...

2048 is the keylength.


Using openssl

With openssl, if your private key is in file id_rsa, then:

openssl rsa -text -noout -in id_rsa

will print the private key contents, and the first line of output contains the modulus size in bits. If the key is protected by a passphrase you will have to type that passphrase, of course.

For example

openssl x509 -in sharewiz-certificate.pem -noout -text
 
Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 7829 (0x1e95)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=JE, ST=St. Helier, L=Jersey, O=sharewiz.net,
               OU=Tech,
               CN=sharewiz.net CA/emailAddress=server-certs@sharewiz.net
       Validity   
           Not Before: Jan  9 18:04:02 2001 GMT
           Not After : Jan  9 18:04:02 2002 GMT
       Subject: C=JE, ST=St. Helier, L=Jersey, O=sharewiz.net,
                OU=sharewiz.net, CN=www.sharewiz.net/emailAddress=admin@sharewiz.net
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
                   33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1:
                   66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
                   70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17:
                   16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
                   c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77:
                   8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
                   d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8:
                   e8:35:1c:9e:27:52:7e:41:8f
               Exponent: 65537 (0x10001)
   Signature Algorithm: md5WithRSAEncryption
       93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
       92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
       ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
       d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
       0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
       5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
       8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22:
       68:9f

If you only have the public key, then OpenSSL won't help directly. You can still do that with OpenSSL the following way:

Open the public key file with a text editor. You will find something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDo2xko99piegEDgZCrobfFTvXUTFDbWT
ch4IGk5mk0CelB5RKiCvDeK4yhDLcj8QNumaReuwNKGjAQwdENsIT1UjOdVvZOX2d41/p6J
gOCD1ujjwuHWBzzQvDA5rXdQgsdsrJIfNuYr/+kIIANkGPPIheb2Ar2ccIWh9giwNHDjkXT
JXTVQ5Whc0mGBU/EGdlCD6poG4EzCc0N9zk/DNSMIIZUInySaHhn2f7kmfoh5LRw7RF3c2O
5tCWIptu8u8ydIxz9q5zHxxKS+c7q4nkl9V/tVjZx8sneNZB+O79X1teq7LawiYJyLulUMi
OEoiL1YH1SE1U93bUcOWvpAQ5 server1@sharewiz.com

With your mouse, select the first characters of the middle blob (after the ssh-rsa); this is Base64 and OpenSSL can decode that:

echo "AAAAB3NzaC1yc2EAAAADAQABAAABAQDDo2xko99piegEDgZC" | openssl base64 -d | hd

OpenSSL is picky, he will require that you input no more than 76 characters as one line, and the number of characters must be a multiple of 4. The line above will print out this:

00000000  00 00 00 07 73 73 68 2d  72 73 61 00 00 00 03 01  |....ssh-rsa.....|
00000010  00 01 00 00 01 01 00 c3  a3 6c 64 a3 df 69 89 e8  |.........ld..i..|
00000020  04 0e 06 42                                       |...B|

This reads as such:

00 00 00 07             The length in bytes of the next field
73 73 68 2d 72 73 61    The key type (ASCII encoding of "ssh-rsa")
00 00 00 03             The length in bytes of the public exponent
01 00 01                The public exponent (usually 65537, as here)
00 00 01 01             The length in bytes of the modulus (here, 257)
00 c3 a3...             The modulus

So the key has type RSA, and its modulus has length 257 bytes, except that the first byte has value “00”, so the real length is 256 bytes (that first byte was added so that the value is considered positive, because the internal encoding rules call for signed integers, the first bit defining the sign). 256 bytes is 2048 bits.