> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton > Sent: Wednesday, 17 June, 2009 17:38
> There is no upper limit on the size of an x.509 certificate > file in DER. Right. Although the size of the basic elements can be estimated fairly well: the size of KeyInfo is determined by the algorithm/parameters (if any) and keysize; the size of the issuer and subject names depends on who assigns the names and how, but can usually be estimated; the serial never has any need to be larger than maybe 64 octets; validity is almost fixed; signature is determined by the signing=issuing=CA key. But the set of extensions is open-ended; some existing ones can already be large, and more could be added at any time. (Although not necessarily to *openssl-generated* certs.) > PEM takes DER and increases its size by 4/3. > So no, there is no upper limit on the size of a PEM format > certificate. > Actually slightly more than 4/3 (for linebreaks) plus the header and trailer = about 50. But no limit in principle, correct. Although of course an actual program including openssl has some limits on how large a data structure it can create and encode, or read and represent internally and use. And all file systems have some limit on what can be stored, though now (always?) larger than for 32bit programs at least. And there is always a practical limit, that if a certificate (or chain) is so large it takes more time or space than is acceptable to users, it won't get used. What is acceptable varies across users and over time, but I would say anyone who now puts more than a few megabyte in a cert will be unpopular. > Your private key is 4096 bits, or 512 bytes. OpenSSL stores > private keys with their public counterparts (another 512 > bytes), padding (1 byte for each part of it), exponent > (usually 3 bytes), and the tag required to identify it as a > PrivateKeyInfo structure (about another 6 bytes all told, > though I might be off on my count). So, that's about 1.1k. For RSA privatekey openssl uses the more-efficient CRT form, which includes the modulus (512), both factors (256*2), the public value e (small), private value d (512), two sub-exponents and a coefficient (256*3), plus padding, tags and lengths as needed ~ 2.25K. Or in general 4.5*modulus_size plus a little. <snip rest based on false premise> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
